Consider any custom security provider as potentially loading JUL

mcculls · mcculls · commit 5abbcdeb5cf3 · 2025-01-28T13:31:32.000Z
diff --git a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java
@@ -1348,23 +1348,22 @@ private static String ddGetEnv(final String sysProp) {
   }
 
   private static boolean okHttpMayIndirectlyLoadJUL() {
-    if (isIBMSASLInstalled() || isACCPInstalled()) {
-      return true; // 'IBMSASL' and 'ACCP' crypto providers can load JUL when OkHttp accesses TLS
+    if (isCustomSecurityProviderInstalled() || isIBMSASLInstalled()) {
+      return true; // custom security providers may load JUL when OkHttp accesses TLS
     }
     if (isJavaVersionAtLeast(9)) {
       return false; // JDKs since 9 have reworked JFR to use a different logging facility, not JUL
     }
     return isJFRSupported(); // assume OkHttp will indirectly load JUL via its JFR events
   }
 
-  private static boolean isIBMSASLInstalled() {
-    return ClassLoader.getSystemResource("com/ibm/security/sasl/IBMSASL.class") != null;
+  private static boolean isCustomSecurityProviderInstalled() {
+    return ClassLoader.getSystemResource("META-INF/services/java.security.Provider") != null;
   }
 
-  private static boolean isACCPInstalled() {
-    return ClassLoader.getSystemResource(
-            "com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.class")
-        != null;
+  private static boolean isIBMSASLInstalled() {
+    // need explicit check as this is installed without using the service-loader mechanism
+    return ClassLoader.getSystemResource("com/ibm/security/sasl/IBMSASL.class") != null;
   }
 
   private static boolean isJFRSupported() {

Original file line number	Diff line number	Diff line change
`@@ -1348,23 +1348,22 @@ private static String ddGetEnv(final String sysProp) {`
`1348`	`1348`	`}`
`1349`	`1349`
`1350`	`1350`	`private static boolean okHttpMayIndirectlyLoadJUL() {`
`1351`		`- if (isIBMSASLInstalled() \|\| isACCPInstalled()) {`
`1352`		`- return true; // 'IBMSASL' and 'ACCP' crypto providers can load JUL when OkHttp accesses TLS`
	`1351`	`+ if (isCustomSecurityProviderInstalled() \|\| isIBMSASLInstalled()) {`
	`1352`	`+ return true; // custom security providers may load JUL when OkHttp accesses TLS`
`1353`	`1353`	`}`
`1354`	`1354`	`if (isJavaVersionAtLeast(9)) {`
`1355`	`1355`	`return false; // JDKs since 9 have reworked JFR to use a different logging facility, not JUL`
`1356`	`1356`	`}`
`1357`	`1357`	`return isJFRSupported(); // assume OkHttp will indirectly load JUL via its JFR events`
`1358`	`1358`	`}`
`1359`	`1359`
`1360`		`- private static boolean isIBMSASLInstalled() {`
`1361`		`- return ClassLoader.getSystemResource("com/ibm/security/sasl/IBMSASL.class") != null;`
	`1360`	`+ private static boolean isCustomSecurityProviderInstalled() {`
	`1361`	`+ return ClassLoader.getSystemResource("META-INF/services/java.security.Provider") != null;`
`1362`	`1362`	`}`
`1363`	`1363`
`1364`		`- private static boolean isACCPInstalled() {`
`1365`		`- return ClassLoader.getSystemResource(`
`1366`		`- "com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.class")`
`1367`		`- != null;`
	`1364`	`+ private static boolean isIBMSASLInstalled() {`
	`1365`	`+ // need explicit check as this is installed without using the service-loader mechanism`
	`1366`	`+ return ClassLoader.getSystemResource("com/ibm/security/sasl/IBMSASL.class") != null;`
`1368`	`1367`	`}`
`1369`	`1368`
`1370`	`1369`	`private static boolean isJFRSupported() {`