OpenAM 16.0.3 JAXB 1.0 generated classes fail on JDK 21 — JAXBContext initialization returns null

[Bisht-Mohit]

Hi,
We are migrating our sso fedlet library to be compatible with JDK 21 and Tomcat 10.x. As part of this migration, we upgraded from OpenAM 14.x to OpenAM 16.0.3 libraries, which are Jakarta-ized (i.e., they use the jakarta.* namespace instead of the old javax.* namespace).

After deploying the updated WAR on a node running JDK 21, the SSO enable test fails with:

HTTP 500 — SP ID null

The Service Provider entity ID is never populated because SAML metadata parsing fails silently during startup. The root cause is that OpenAM 16.0.3 performed a partial Jakarta migration while the API namespace was updated, the generated SAML implementation classes inside openam-saml2-schema-16.0.3.jar are still JAXB 1.0-style code that depends on com.sun.xml.bind.* classes which have been completely removed from JDK 21.

To Reproduce

1. Build the fedlet WAR with OpenAM 16.0.3 libraries(shaded to Jakarta) and Jakarta JAXB 4.x JARs
2. Deploy the required war/jar on a server running JDK 21 and Tomcat 10.x
3. Proceed to the SSO enablement.
4. SSO enable fails with HTTP 500 — SP ID null

Expected behavior
SSO enable should succeed. The SP entity ID should be populated from the SAML metadata, and the SSO configuration wizard should proceed normally through metadata import, SSO enable, and SSO test.

Environment

• OS: CentOS (Linux-based)
• JDK: 21
• Application Server: Tomcat 10.x
• OpenAM Version: 16.0.3 (Jakarta-ized)
• JAXB Version: Jakarta XML Binding 4.0 (jakarta.xml.bind-api-4.0.2.jar, jaxb-runtime-4.0.5.jar)

Additional context

What we changed Library Upgrades
OpenAM Libraries (14.x → 16.x)

The core OpenAM libraries were upgraded from version 14.0.0-M6 to 16.0.3:

Library	Old Version	New Version
openam-saml2-schema	14.0.0-M6	16.0.3
openam-federation-library	14.0.0-M6	16.0.3
openam-shared	14.0.0-M6	16.0.3
openam-certs	14.0.0-M6	16.0.3
openam-i18n	14.0.0-M6	16.0.3
openam-ldap-utils	14.0.0-M6	16.0.3
openam-idpdiscovery	14.0.0-M6	16.0.3
openam-liberty-schema	14.0.0-M6	16.0.3
openam-wsfederation-schema	14.0.0-M6	16.0.3
openam-xacml3-schema	14.0.0-M6	16.0.3
openam-audit-core	14.0.0-M6	16.0.3
openam-audit-context	14.0.0-M6	16.0.3

Old JARs Removed (incompatible with JDK 21)

Removed JAR	Reason
jaxb-api-1.0.6.jar	Old JAXB 1.0 API — replaced by jakarta.xml.bind-api-4.0.2.jar
jaxb-libs-1.0.6.jar	Old JAXB 1.0 libraries — no longer needed
jaxb1-impl-2.0.2.jar	Old JAXB 1.0 RI — replaced by jaxb-runtime-4.0.5.jar
jaxb-xjc-1.0.6.jar	JAXB code generator — not needed at runtime
xmlsec-1.5.6.jar	Apache Santuario 1.x — replaced by xmlsec-3.0.3.jar
activation-1.1.jar	javax.activation — replaced by Jakarta Activation
javax.servlet-api-3.0.1.jar	javax.servlet — provided by Tomcat 10.x (Jakarta Servlet)
webservices-tools-2.1-b16.jar	Old webservices tooling — not needed
webservices-extra-api-2003-09-04.jar	Old webservices API — not needed
webservices-rt-2009-29-07.jar	Old webservices runtime — not needed
webservices-extra-2008-03-12.jar	Old webservices extras — not needed
webservices-api-2009-14-01.jar	Old webservices API — not needed

New JARs Added

New JAR	Purpose
jakarta.xml.bind-api-4.0.2.jar	Jakarta XML Binding API (replaces old jaxb-api)
jaxb-runtime-4.0.5.jar	JAXB 4.x runtime engine
xmlsec-3.0.3.jar	Apache Santuario 3.x (XML Security — replaces xmlsec-1.5.6)

Root Cause Analysis

OpenAM 16.0.3's Jakarta migration is incomplete:

Layer	What OpenAM 16.x did	Status on JDK 21
API namespace	✅ Migrated javax.xml.bind → jakarta.xml.bind	✅ Works
Runtime engine	✅ Uses JAXB 4.0 runtime	✅ Works
Generated impl classes	❌ Still JAXB 1.0 code structure	❌ Broken
JAXB 1.0 RI internals (com.sun.xml.bind.*)	❌ Not bundled	❌ Missing entirely

The generated classes inside openam-saml2-schema-16.0.3.jar still reference old JAXB 1.0 RI classes:

// Inside OpenAM 16.x generated classes (e.g., EntityDescriptorTypeImpl):
public class EntityDescriptorTypeImpl
    implements com.sun.xml.bind.JAXBObject,                    // JAXB 1.0 RI interface
               com.sun.xml.bind.marshaller.IdentifiableObject  // JAXB 1.0 RI interface
{
    private com.sun.xml.bind.util.ListImpl _Any;               // JAXB 1.0 RI class type
}

These com.sun.xml.bind.* classes were completely removed from JDK 21. Additionally, the JAXB 1.0 and 4.x approaches are fundamentally incompatible:

Aspect	JAXB 1.0 (old approach)	JAXB 4.x (new approach)
How it understands XML structure	Generated GrammarInfo classes describe the schema programmatically	Scans Java classes for annotations like @XmlRootElement, @XmlType
What generated classes look like	implements JAXBObject, uses ListImpl, GrammarInfoImpl	Annotated POJOs with @XmlRootElement, @XmlAccessorType

Since OpenAM's generated classes follow the JAXB 1.0 style (no annotations, implements JAXBObject), the JAXB 4.x runtime cannot understand them. It tries to scan for annotations, finds none, and throws an IllegalAnnotationsException. This causes the JAXBContext to remain null, which means all metadata parsing fails silently, and the SP entity ID is never set.

This triggered a cascade of 5 related issues, each discovered after fixing the previous one.

Question
The core issue is that OpenAM 16.0.3's internal SAML classes are still JAXB 1.0-style generated code, but the JAXB 4.x runtime on JDK 21 only supports annotation-based classes. The old JAXB 1.0 RI classes (com.sun.xml.bind.*) that these generated classes depend on have been completely removed from modern JDKs.

How do we fix this incompatibility so that the existing OpenAM 16.x JAXB 1.0-style generated classes can work on JDK 21 with Jakarta XML Binding 4.x, without modifying the OpenAM libraries themselves?

Thanks in advance,
Mohit.

[maximthomas]

Hi @Bisht-Mohit,

Good question. We have plans to migrate to JAXB 4.x.
If you'd like to contribute and submit a PR, it would be greatly appreciated.

[Bisht-Mohit]

Hi @maximthomas,
Thank you for the response. I have a few more queries.

1. JAXB 1.0 / 4.x Incompatibility on JDK 21
   Does this mean the OpenAM 16.x fedlet libraries are currently incompatible with JDK 21 when using Jakarta XML Binding 4.x? Or is there a specific JAXB runtime version or configuration that should be used to make this work?

2. Testing Scope for Tomcat 10.x / 11.x Compatibility
   Referring to discussion(Tomcat - Versions Supported for OpenAM 16.x Deployment #942), it was confirmed that OpenAM 16.x is tested with Tomcat 10.1.x and 11.x with Java LTS versions starting from 11. Looking at the CI build workflow, the test matrix covers Java 11, 17, 21, and 25, and the Docker integration test validates OpenAM server configuration and basic authentication (/json/authenticate).
   Could you clarify:
   Which JAXB runtime JARs are included in the tested deployment specifically, is it Jakarta XML Binding 4.x, or are the older JAXB 1.0 RI JARs still bundled alongside?
   Does the test coverage include SAML 2.0 SP flows (fedlet metadata parsing, SP entity ID resolution, SSO enable)? Our issue surfaces specifically during SAML metadata unmarshalling.

3. JAXB 4.x Migration Roadmap
   Given that the generated schema classes in openam-saml2-schema (and related modules like openam-liberty-schema, openam-wsfederation-schema, openam-xacml3-schema) still follow the JAXB 1.0 code-generation pattern, is there a planned timeline for regenerating these schema classes using JAXB 4.x's xjc tool to produce annotation-based classes natively compatible with the Jakarta XML Binding 4.x runtime?

4. Contributing to the Fix
   We have a strong interest in seeing this issue resolved upstream. If we were to contribute a fix (e.g., regenerating the schema classes with xjc 4.x and updating the corresponding references in openam-federation-library), what would be the recommended contribution process?
   Specifically:
   Is there a contributing guide or coding standards document we should follow?
   Should we open an issue first to discuss the approach before submitting a pull request?
   Could you please provide the environment specifications required to build these JARs? Additionally, is there a README or documentation outlining the build procedure?

Thanks in advance,
Mohit.

[maximthomas]

Hi @Bisht-Mohit,
1 The OpenAM 16.x Fedlet libraries are not compatible with Jakarta XML Binding 4.x.

2.1 The JAXB 1.0 RI JARs are still bundled.
2.2 There are no integration tests for SAML flows, only unit tests.

3 There is no planned timeline yet for the JAXB 4.x migration.

4.1 You can create a pull request and describe the suggested changes.
4.2 The build specification is defined in the following file: https://github.com/OpenIdentityPlatform/OpenAM/blob/master/.github/workflows/build.yml

[rohithjayak]

Hi @maximthomas,
Thank you for the information. We have a few follow-up questions to clarify the next steps:

1. Just to confirm, is there no workaround to make this compatible with JAXB 3.x? Additionally, are there any OpenAM versions currently bundled with a JAXB version other than 1.0?

2. We reviewed the build.yml file, but it doesn't provide a full picture of the build workflow. Is there a README or documentation that outlines the process for cloning the repo, applying changes, and building the OpenAM JARs with JAXB 4.x? Also, could you specify which exact version of JAXB 4.x we should use and anything specific which has to be taken care of?

Thanks in advance,
Rohith

[maximthomas]

Hi @Bisht-Mohit

1. Unfortunately, there is no workaround. And I don't know about version any OpenAM version with JAXB other than 1.0
2. You can also check the main README.md file: https://github.com/OpenIdentityPlatform/OpenAM?tab=readme-ov-file#how-to-build-openam-from-source