An illegal reflective access operation has occurred when using Java 11 with ForgeRock products
The purpose of this article is to provide assistance if you encounter "An illegal reflective access operation has occurred" warning when using ForgeRock products with Java® 11. This issue affects AM 6.5.x, DS 6.5.x, IDM 6.5.x and IG 6.5.x; Java Agent 5.6.x, 5.7.x, 5.8.x, 5.9.x and 5.10.x.
Symptoms
You will see An illegal reflective access operation has occurred
warning when installing and using AM (including Amster and ssoadm tools), Java Agents, DS, IDM and IG. The subsequent two lines following this warning vary depending on which product you are using and what you were doing at the time it occurred.
Here are some examples of the types of error you will see by product:
- AM: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/path/to/tomcat/webapps/am/WEB-INF/lib/groovy-2.4.6.jar (about:blank)) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int) WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
- Java Agent: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/tmp/5.6.0/java/java_agents/tomcat_agent/lib/jee-agents-installtools-5.6.0.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
- DS: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.opends.server.util.Platform$PlatformIMPL (file:/path/to/ds/lib/opendj.jar) to constructor sun.security.tools.keytool.CertAndKeyGen(java.lang.String,java.lang.String) WARNING: Please consider reporting this to the maintainers of org.opends.server.util.Platform$PlatformIMPL WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
- IDM: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/path/to/idm/bin/felix.jar) to method java.net.URLClassLoader.addURL(java.net.URL) WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
Recent Changes
Upgraded to Java 11.
Installed AM 6.5.x, DS 6.5.x, IDM 6.5.x or IG 6.5.x with Java 11.
Installed Java Agent 5.6.x with Java 11.
Causes
These warnings occur when using Groovy 2.x with Java 11 but are fixed in Groovy 3.
For reference, these known issues are:
- GROOVY-8339 (Fix warning "An illegal reflective access operation has occurred")
- GROOVY-8843 (Fix illegal reflective access within o.c.g.vmplugin.v7.Java7)
- GROOVY-9103 (CLONE - CLONE - Fix warning "An illegal reflective access operation has occurred")
Whenever you use functionality that accesses Groovy scripting, you will see these warnings.
Additionally, there is a similar compatibility issue with Felix: FELIX-5765 (An illegal reflective access operation has occurred).
Solution
These messages can be safely ignored because they do not impact the use or functionality of ForgeRock products. However, if you do not want to see them, you can do one of the following:
- Use Groovy 3.x.
- Allowlist these warnings.
- Downgrade Java to JDK 1.8
See Also
SSLHandshakeException or ClassCastException when using an HSM and Java 11 with ForgeRock products
Related Training
N/A
Related Issue Tracker IDs
OPENIDM-11765 (Warnings on startup when using embedded DS repo with Java 11)
OPENDJ-5664 (JDK 11: illegal reflective access warning during import-ldif)
OPENDJ-5663 (JDK 11: illegal reflective access warning on setup (without profile))
OPENDJ-5660 (JDK 11: illegal reflective access warning on setup (with profile))
AMAGENTS-2616 (Java agent installer makes warning messages when JDK 11 is used)