Getting error "unable to find LoginModule class: com.ibm.security.auth.module.JAASLoginModule"

[sshuklao]

We are getting below error when creating Spark context.

Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: com.ibm.security.auth.module.JAASLoginModule
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794) ~[?:1.8.0_332]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_332]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_332]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_332]
	at java.security.AccessController.doPrivileged(AccessController.java:783) ~[?:1.8.0_332]
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_332]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_332]

Java Version :

openjdk version “1.8.0_332”
IBM Semeru Runtime Open Edition (build 1.8.0_332-b09)
Eclipse OpenJ9 VM (build openj9-0.32.0, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20220422_370 (JIT enabled, AOT enabled)
OpenJ9   - 9a84ec34e
OMR      - ab24b6666
JCL      - 0b8b8af39a based on jdk8u332-b09)

[pshipton]

com.ibm.security.auth.module.JAASLoginModule is a class found in IBM Java 8, not Semeru. LIkely the App is incorrectly identifying the JVM as IBM Java 8 based on the "java.vendor" and assuming the class will be present. The app needs to be corrected to distinguish between IBM Java 8 and Semeru. In the meantime, see #22 (comment)

[krismarc]

Hi @pshipton,

there's some inconsistency in java.vendor naming used with all Semeru runtimes. I've just checked all LTS open versions available in github. Seems like it's not general change between java 11 and 17.

while read line ; do rm -fr * ; curl -L "$line" -s | tar -xz --one-top-level=java --strip-components 1 ; ./java/bin/java -XshowSettings:properties -version 2>&1 | grep "java.vend
or.[=,v]" ; done < <(curl -L -H "$auth" "https://api.github.com/repos/ibmruntimes/semeru17-binaries/releases" -s | jq -r '.[].assets[].browser_download_url' | grep "open-jre.*x64_linux.*tar.gz$")
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.7.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.6.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.5.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.4.1
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.4.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.3.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.2.0
    java.vendor = IBM Corporation
    java.vendor.version = 17.0.1.0
    java.vendor = IBM Corporation

while read line ; do rm -fr * ; curl -L "$line" -s | tar -xz --one-top-level=java --strip-components 1 ; ./java/bin/java -XshowSettings:properties -version 2>&1 | grep "java.vendor.[=,v]" ; done < <(curl -L -H "$auth" "https://api.github.com/repos/ibmruntimes/semeru11-binaries/releases" -s | jq -r '.[].assets[].browser_download_url' | grep "open-jre.*x64_linux.*tar.gz$")
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.19.0
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.18.0
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.17.0
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.16.1
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.16.0
    java.vendor = IBM Corporation
    java.vendor.version = 11.0.15.0
    java.vendor = International Business Machines Corporation
    java.vendor.version = 11.0.14.1
    java.vendor = International Business Machines Corporation
    java.vendor.version = 11.0.14.0
    java.vendor = International Business Machines Corporation
    java.vendor.version = 11.0.13.0

while read line ; do rm -fr * ; curl -L "$line" -s | tar -xz --one-top-level=java --strip-components 1 ; ./java/bin/java -XshowSettings:properties -version 2>&1 | grep "java.vendor.[=,v]\|java.version" ; done < <(curl -L -H "$auth" "https://api.github.com/repos/ibmruntimes/semeru8-binaries/releases" -s | jq -r '.[].assets[].browser_download_url' | grep "open-jre.*x64_linux.*tar.gz$")
   java.vendor = IBM Corporation
   java.version = 1.8.0_372
   java.vendor = IBM Corporation
   java.version = 1.8.0_362
   java.vendor = IBM Corporation
   java.version = 1.8.0_352
   java.vendor = IBM Corporation
   java.version = 1.8.0_352
   java.vendor = IBM Corporation
   java.version = 1.8.0_345
   java.vendor = IBM Corporation
   java.version = 1.8.0_345
   java.vendor = IBM Corporation
   java.version = 1.8.0_332
   java.vendor = International Business Machines Corporation
   java.version = 1.8.0_322
   java.vendor = International Business Machines Corporation

It means, only old versions of java8 and java11 were using long IBM name (International Business Machines Corporation).

if you don't mind, please take a look at my issue with mssql jdbc
microsoft/mssql-jdbc#2139

Seems like similar story like you had with db2 driver: #22

Actually, MSSQL jdbc driver is just checking if java.vendor starts with "IBM*"
https://github.com/microsoft/mssql-jdbc/blob/7e476f4d22a9667a722c60d295519f9a1a30b1dc/src/main/java/com/microsoft/sqlserver/jdbc/Util.java#L51
https://github.com/microsoft/mssql-jdbc/blob/7e476f4d22a9667a722c60d295519f9a1a30b1dc/src/main/java/com/microsoft/sqlserver/jdbc/JaasConfiguration.java#L30

..if not, then com.sun.* libs are used for Kerberos authentications. It means, with old java11 Semeru versions Kerberos login worked because "International Business Machines Corporation" didn't meet the condition and after that change it fails due to no module found
javax.security.auth.login.LoginException (No LoginModule found for com.ibm.security.auth.module.Krb5LoginModule)
..so since this name change introduction the driver is trying to use com.ibm.* libs

[krismarc]

com.ibm.security.auth.module.JAASLoginModule is a class found in IBM Java 8, not Semeru. LIkely the App is incorrectly identifying the JVM as IBM Java 8 based on the "java.vendor" and assuming the class will be present. The app needs to be corrected to distinguish between IBM Java 8 and Semeru. In the meantime, see #22 (comment)

so.. if my understanding is correct, MSSQL jdbc driver maintainers shouldn't just check if the vendor name starts with IBM*. They should rather check if it's Semeru runtime and use com.sun.* libs in that case instead?

[pshipton]

The long name was used in some old releases as a temporary workaround for the problem, which was only needed in jdk8 and jdk11. The temporary workaround expired and the java.vendor was updated to the expected value "IBM Corporation". It's still possible, using the workaround I provided, to modify the java.vendor so that apps which make assumptions based on java.vendor can work.

MSSQL jdbc driver maintainers shouldn't just check if the vendor name starts with IBM*. They should rather check if it's Semeru runtime and use com.sun.* libs in that case instead?

Correct.

[krismarc]

Thank you for quick response! Well, workaround looks good. However, if there's anything else that relays on actual value then it could become broken. Their approach to relay on a substring of this value also looks to me bad.
Would you mind to give them any advice on this in my issue microsoft/mssql-jdbc#2139?

[krismarc]

Just to mention the impact to anyone else who's going to check this topic.
If application migrates from any lower Semeru version than 11.0.14.1 to higher 11+ or any 17 and uses MSSQL jdbc driver with Kerberos Authentication then it will fail with javax.security.auth.login.LoginException (No LoginModule found for com.ibm.security.auth.module.Krb5LoginModule)

[pshipton]

Would you mind to give them any advice on this in my issue microsoft/mssql-jdbc#2139?

microsoft/mssql-jdbc#2139 (comment)