Drop support for GraalVM/Mandrel 21.1

(cherry picked from commit 3891e6a)

core/deployment/src/main/java/io/quarkus/deployment/builditem/EnableAllSecurityServicesBuildItem.java

@@ -2,6 +2,10 @@
 
 import io.quarkus.builder.item.MultiBuildItem;
 
+/**
+ * @deprecated {@code --enable-all-security-services} was removed in GraalVM 21.1 https://github.com/oracle/graal/pull/3258
+ */
+@Deprecated
 public final class EnableAllSecurityServicesBuildItem extends MultiBuildItem {
 
 }

core/deployment/src/main/java/io/quarkus/deployment/pkg/NativeConfig.java

@@ -35,8 +35,11 @@ public class NativeConfig {
 
     /**
      * If all security services should be added to the native image
+     *
+     * @deprecated {@code --enable-all-security-services} was removed in GraalVM 21.1 https://github.com/oracle/graal/pull/3258
      */
     @ConfigItem
+    @Deprecated
     public boolean enableAllSecurityServices;
 
     /**

core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/GraalVM.java

@@ -11,7 +11,6 @@ static final class Version implements Comparable<Version> {
                 "(GraalVM|native-image)( Version)? ([1-9][0-9]*)\\.([0-9]+)\\.[0-9]+(-dev\\p{XDigit}*)?([^\n$]*)\\s*");
 
         static final Version UNVERSIONED = new Version("Undefined", -1, -1, Distribution.ORACLE);
-        static final Version VERSION_21_1 = new Version("GraalVM 21.1", 21, 1, Distribution.ORACLE);
         static final Version VERSION_21_2 = new Version("GraalVM 21.2", 21, 2, Distribution.ORACLE);
         static final Version VERSION_21_3 = new Version("GraalVM 21.3", 21, 3, Distribution.ORACLE);
 

core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildStep.java

@@ -551,7 +551,6 @@ public Builder setNativeImageName(String nativeImageName) {
             public NativeImageInvokerInfo build() {
                 List<String> nativeImageArgs = new ArrayList<>();
                 boolean enableSslNative = false;
-                boolean enableAllSecurityServices = nativeConfig.enableAllSecurityServices;
                 boolean inlineBeforeAnalysis = nativeConfig.inlineBeforeAnalysis;
                 boolean addAllCharsets = nativeConfig.addAllCharsets;
                 boolean enableHttpsUrlHandler = nativeConfig.enableHttpsUrlHandler;
@@ -564,7 +563,10 @@ public NativeImageInvokerInfo build() {
                                 + " Please consider removing this configuration key as it is ignored (JNI is always enabled) and it"
                                 + " will be removed in a future Quarkus version.");
                     } else if (prop.getKey().equals("quarkus.native.enable-all-security-services") && prop.getValue() != null) {
-                        enableAllSecurityServices |= Boolean.parseBoolean(prop.getValue());
+                        log.warn(
+                                "Your application is setting the deprecated 'quarkus.native.enable-all-security-services' configuration key."
+                                        + " Please consider removing this configuration key as it is ignored and it"
+                                        + " will be removed in a future Quarkus version.");
                     } else if (prop.getKey().equals("quarkus.native.enable-all-charsets") && prop.getValue() != null) {
                         addAllCharsets |= Boolean.parseBoolean(prop.getValue());
                     } else if (prop.getKey().equals("quarkus.native.inline-before-analysis") && prop.getValue() != null) {
@@ -588,7 +590,6 @@ public NativeImageInvokerInfo build() {
 
                 if (enableSslNative) {
                     enableHttpsUrlHandler = true;
-                    enableAllSecurityServices = true;
                 }
 
                 handleAdditionalProperties(nativeConfig, nativeImageArgs, isContainerBuild, outputDir);
@@ -654,10 +655,6 @@ public NativeImageInvokerInfo build() {
                 if (!protocols.isEmpty()) {
                     nativeImageArgs.add("-H:EnableURLProtocols=" + String.join(",", protocols));
                 }
-                if (enableAllSecurityServices && graalVMVersion.isOlderThan(GraalVM.Version.VERSION_21_1)) {
-                    // This option was removed in GraalVM 21.1 https://github.com/oracle/graal/pull/3258
-                    nativeImageArgs.add("--enable-all-security-services");
-                }
                 if (inlineBeforeAnalysis) {
                     if (graalVMVersion.isOlderThan(GraalVM.Version.VERSION_21_3)) {
                         // Enabled by default in GraalVM >= 21.3
@@ -707,21 +704,17 @@ public NativeImageInvokerInfo build() {
                     nativeImageArgs.add("-H:+DashboardAll");
                 }
 
-                if (graalVMVersion.isNewerThan(GraalVM.Version.VERSION_21_1)) {
-                    // AdditionalSecurityProviders
-                    if (nativeImageSecurityProviders != null && !nativeImageSecurityProviders.isEmpty()) {
-                        String additionalSecurityProviders = nativeImageSecurityProviders.stream()
-                                .map(p -> p.getSecurityProvider())
-                                .collect(Collectors.joining(","));
-                        nativeImageArgs.add("-H:AdditionalSecurityProviders=" + additionalSecurityProviders);
-                    }
+                if (nativeImageSecurityProviders != null && !nativeImageSecurityProviders.isEmpty()) {
+                    String additionalSecurityProviders = nativeImageSecurityProviders.stream()
+                            .map(p -> p.getSecurityProvider())
+                            .collect(Collectors.joining(","));
+                    nativeImageArgs.add("-H:AdditionalSecurityProviders=" + additionalSecurityProviders);
+                }
 
-                    // --exclude-config options
-                    for (ExcludeConfigBuildItem excludeConfig : excludeConfigs) {
-                        nativeImageArgs.add("--exclude-config");
-                        nativeImageArgs.add(excludeConfig.getJarFile());
-                        nativeImageArgs.add(excludeConfig.getResourceName());
-                    }
+                for (ExcludeConfigBuildItem excludeConfig : excludeConfigs) {
+                    nativeImageArgs.add("--exclude-config");
+                    nativeImageArgs.add(excludeConfig.getJarFile());
+                    nativeImageArgs.add(excludeConfig.getResourceName());
                 }
 
                 nativeImageArgs.add(nativeImageName);

docs/src/main/asciidoc/native-and-ssl.adoc

@@ -61,14 +61,14 @@ It's not. The magic happens when building the native executable:
 
 [source]
 ----
-[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] /opt/graalvm/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dcom.sun.xml.internal.bind.v2.bytecode.ClassTailor.noOptimize=true -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime -jar rest-client-1.0.0-SNAPSHOT-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 -H:+PrintAnalysisCallTree -H:EnableURLProtocols=http,https --enable-all-security-services -H:-SpawnIsolates -H:+JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace
+[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] /opt/graalvm/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dcom.sun.xml.internal.bind.v2.bytecode.ClassTailor.noOptimize=true -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime -jar rest-client-1.0.0-SNAPSHOT-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 -H:+PrintAnalysisCallTree -H:EnableURLProtocols=http,https -H:-SpawnIsolates -H:+JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace
 ----
 
 The important elements are these 3 options that were automatically added by Quarkus:
 
 [source,bash]
 ----
--H:EnableURLProtocols=http,https --enable-all-security-services -H:+JNI
+-H:EnableURLProtocols=http,https -H:+JNI
 ----
 
 They enable the native SSL support for your native executable.

extensions/infinispan-client/README.MD

@@ -82,12 +82,6 @@ java cacerts file.
 
 The keystore is configured via hotrod-client.properties file located in META-INF.
 
-#### Configure your project to allow security services
-
-You (currently) need to enable all security services in Substrate
-(https://github.com/oracle/graal/blob/master/substratevm/JCASecurityServices.md). This can be done by adding
-`<enableAllSecurityServices>true</enableAllSecurityServices>` to the quarkus-maven-plugin configuration values.
-
 ### Authentication
 
 DIGEST_MD5, PLAIN, EXTERNAL were all tested to work.

extensions/jsch/deployment/src/main/java/io/quarkus/jsch/deployment/JSchProcessor.java

@@ -2,19 +2,13 @@
 
 import io.quarkus.deployment.Feature;
 import io.quarkus.deployment.annotations.BuildStep;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeInitializedClassBuildItem;
 import io.quarkus.jsch.runtime.PortWatcherRunTime;
 
 class JSchProcessor {
 
-    @BuildStep
-    EnableAllSecurityServicesBuildItem enableAllSecurityServices() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep
     ExtensionSslNativeSupportBuildItem sslNativeSupport() {
         return new ExtensionSslNativeSupportBuildItem(Feature.JSCH);

extensions/oidc-client-filter/deployment/src/main/java/io/quarkus/oidc/client/filter/deployment/OidcClientFilterBuildStep.java

@@ -6,7 +6,6 @@
 import io.quarkus.deployment.Feature;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.oidc.client.deployment.OidcClientBuildStep.IsEnabled;
@@ -27,11 +26,6 @@ FeatureBuildItem featureBuildItem() {
         return new FeatureBuildItem(Feature.OIDC_CLIENT_FILTER);
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep(onlyIf = IsEnabled.class)
     void registerProvider(BuildProducer<AdditionalBeanBuildItem> additionalBeans,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClass,

extensions/oidc-client-reactive-filter/deployment/src/main/java/io/quarkus/oidc/client/reactive/filter/deployment/OidcClientReactiveFilterBuildStep.java

@@ -5,7 +5,6 @@
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.builditem.AdditionalIndexedClassesBuildItem;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.oidc.client.deployment.OidcClientBuildStep.IsEnabled;
@@ -18,11 +17,6 @@ FeatureBuildItem featureBuildItem() {
         return new FeatureBuildItem(Feature.OIDC_CLIENT_REACTIVE_FILTER);
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep(onlyIf = IsEnabled.class)
     void registerProvider(BuildProducer<AdditionalBeanBuildItem> additionalBeans,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClass,

extensions/oidc-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java

@@ -25,7 +25,6 @@
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
 import io.quarkus.deployment.builditem.ApplicationArchivesBuildItem;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeInitializedClassBuildItem;
@@ -54,11 +53,6 @@ FeatureBuildItem featureBuildItem() {
         return new FeatureBuildItem(Feature.OIDC_CLIENT);
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep(onlyIf = IsEnabled.class)
     ExtensionSslNativeSupportBuildItem enableSslInNative() {
         return new ExtensionSslNativeSupportBuildItem(Feature.OIDC_CLIENT);

extensions/oidc-token-propagation/deployment/src/main/java/io/quarkus/oidc/token/propagation/deployment/OidcTokenPropagationBuildStep.java

@@ -8,7 +8,6 @@
 import io.quarkus.deployment.Feature;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.oidc.token.propagation.AccessToken;
@@ -32,11 +31,6 @@ FeatureBuildItem featureBuildItem() {
         return new FeatureBuildItem(Feature.OIDC_TOKEN_PROPAGATION);
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep(onlyIf = IsEnabled.class)
     void registerProvider(BuildProducer<AdditionalBeanBuildItem> additionalBeans,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClass,

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -21,7 +21,6 @@
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
@@ -80,11 +79,6 @@ public void additionalBeans(BuildProducer<AdditionalBeanBuildItem> additionalBea
         additionalBeans.produce(builder.build());
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     @BuildStep(onlyIf = IsEnabled.class)
     ExtensionSslNativeSupportBuildItem enableSslInNative() {
         return new ExtensionSslNativeSupportBuildItem(Feature.OIDC);

extensions/smallrye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java

@@ -26,7 +26,6 @@
 import io.quarkus.deployment.Feature;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
-import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageResourceBuildItem;
@@ -64,11 +63,6 @@ ExtensionSslNativeSupportBuildItem enableSslInNative() {
         return new ExtensionSslNativeSupportBuildItem(Feature.SMALLRYE_JWT);
     }
 
-    @BuildStep(onlyIf = IsEnabled.class)
-    EnableAllSecurityServicesBuildItem security() {
-        return new EnableAllSecurityServicesBuildItem();
-    }
-
     /**
      * Register the CDI beans that are needed by the MP-JWT extension
      *

integration-tests/bouncycastle-fips-jsse/pom.xml

@@ -125,7 +125,6 @@
             </activation>
             <!-- add some custom config, the rest comes from parent -->
             <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
             </properties>
         </profile>

integration-tests/bouncycastle-jsse/pom.xml

@@ -116,7 +116,6 @@
             </activation>
             <!-- add some custom config, the rest comes from parent -->
             <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
             </properties>
         </profile>

integration-tests/elytron-security-jdbc/pom.xml

@@ -112,7 +112,6 @@
             </activation>
             <!-- add some custom config, the rest comes from parent -->
             <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
             </properties>
         </profile>

integration-tests/elytron-security-ldap/pom.xml

@@ -95,7 +95,6 @@
             </activation>
             <!-- add some custom config, the rest comes from parent -->
             <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
             </properties>
         </profile>

integration-tests/elytron-undertow/src/main/resources/application.properties

@@ -13,5 +13,4 @@ quarkus.http.ssl.certificate.file=target/server-cert.pem
 quarkus.http.ssl.certificate.key-file=target/server-key.pem
 # Test that server starts with this option
 # See https://github.com/quarkusio/quarkus/issues/8336
-quarkus.http.insecure-requests=disabled
-quarkus.native.enable-all-security-services=true
+quarkus.http.insecure-requests=disabled

integration-tests/kafka-avro-apicurio2/pom.xml

@@ -273,19 +273,6 @@
                 </plugins>
             </build>
         </profile>
-
-        <profile>
-            <id>native-image</id>
-            <activation>
-                <property>
-                    <name>native</name>
-                </property>
-            </activation>
-            <!-- add some custom config, the rest comes from parent -->
-            <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
-            </properties>
-        </profile>
     </profiles>
 
 </project>

integration-tests/kafka-avro/pom.xml

@@ -280,19 +280,6 @@
                 </plugins>
             </build>
         </profile>
-
-        <profile>
-            <id>native-image</id>
-            <activation>
-                <property>
-                    <name>native</name>
-                </property>
-            </activation>
-            <!-- add some custom config, the rest comes from parent -->
-            <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
-            </properties>
-        </profile>
     </profiles>
 
 </project>

integration-tests/kafka-devservices/pom.xml

@@ -215,19 +215,6 @@
                 </plugins>
             </build>
         </profile>
-
-        <profile>
-            <id>native-image</id>
-            <activation>
-                <property>
-                    <name>native</name>
-                </property>
-            </activation>
-            <!-- add some custom config, the rest comes from parent -->
-            <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
-            </properties>
-        </profile>
     </profiles>
 
 </project>

integration-tests/kafka-sasl/pom.xml

@@ -220,19 +220,6 @@
                 </plugins>
             </build>
         </profile>
-
-        <profile>
-            <id>native-image</id>
-            <activation>
-                <property>
-                    <name>native</name>
-                </property>
-            </activation>
-            <!-- add some custom config, the rest comes from parent -->
-            <properties>
-                <quarkus.native.enable-all-security-services>true</quarkus.native.enable-all-security-services>
-            </properties>
-        </profile>
     </profiles>
 
 </project>