This document describes the Shibboleth project's policy with regard to the many different available distributions of the Java Development Kit used to develop and deploy the project's Java products.
The audience for this document is the project itself; its purpose is to specify the level of testing given to each distribution during the development and release of new versions of the products, and to indicate the level of support provided to deployers relying on each distribution.
Deployers will find that the Requirements section of the documentation for each product will be more suitable to their needs than this document, which inlcudes many technical details relevant only to developers.
Each version of the Java SE Development Kit (JDK) required to build or run Java software from the Shibboleth Project is available from several distribution sources. Different distributions of the same JDK may be licensed under different terms, may be built from different source trees, or may incorporate patches specific to that distribution. This document serves to collate information about different JDK distributions, and to indicate how each is treated by the Shibboleth Project.
For a given Product Platform, one distribution is designated as the primary distribution and is used by the Shibboleth Project as its reference:
The primary distribution will be used for building product artifacts.
The primary distribution is the basis for most of the continuous integration testing we perform (e.g., the standard, -nightly and -site jobs in Jenkins).
Specific distributions are fully supported for use with the software. This means:
The community may report bugs with the expectation that we can attempt to reproduce and investigate problems related to this distribution.
Members of the Shibboleth Consortium may request technical support related to this distribution.
Each such distribution will also be tested as part of the Jenkins -multi jobs. For distributions provided by operating system vendors, this regular testing may be userspace-only (e.g., within a container) if the project does not maintain a permanent machine or VM running that specific operating system.
The project will maintain the ability to replicate the complete environment, including operating system at the VM level, for debugging purposes.
Additional distributions may be partially supported for use with the software. This means:
The community may file bugs but may commonly be expected to reproduce unusual or esoteric problems on a fully supported distribution before further investigation takes place.
Members of the Shibboleth Consortium may request technical support related to this distribution.
Such distributions may be tested as above but possibly with reduced regularity or completeness.
The project may have lesser ongoing ability to replicate the complete environment but will do so when necessary to support Consortium members reporting issues.
Further distributions will be tested at the project's discretion as part of the Jenkins -multi jobs. The purpose of this testing is to make the project aware of potential incompatibilities in advance of any requirement to address them.
The following specific distributions, and any others not covered above, are neither tested nor supported:
Any distribution of Java 9, Java 10, Java 12 through Java 16
Any distribution of the Java JRE (as opposed to the JDK)
When not specified:
Reference to a specific version of a Java distribution should be taken to refer to the most recent generally available release. For example, a reference to Java 11 at the time of writing refers to 11.0.3; previous versions (11, 11.0.1, 11.0.2) are not tested and not supported.
Reference to a specific version of an operating system should be taken to refer to the most recent generally available release.
Reference to a generic operating system ("Linux", "Windows") should be taken to mean that we will test under a specific version of the operating system (currently CentOS 7 for Linux, Windows Server 2016) but believe that such testing will be representative of similar systems as long as they are reasonably recent. "Linux", for example, would cover any reasonably recent operating system distribution incorporating a Linux kernel, but not FreeBSD.
Only 64-bit variants of the JDK are covered.
Only 64-bit Intel architecture variants (amd64, also known as x86_64) of operating systems are covered.
Java Distributions for the Java 11 Platform
The Java 11 Platform is used by:
Identity Provider v4.x
Metadata Aggregator v0.10 and v1.0.
The primary distribution for this platform is Amazon Corretto 11 for Linux.
The following distributions are fully supported:
Amazon Corretto 11 for Linux
Amazon Corretto 11 for Windows
Amazon Corretto 17 for Linux
Amazon Corretto 17 for Windows
Red Hat's OpenJDK 11 for Linux as supplied under Red Hat Enterprise Linux 7 or CentOS 7
Red Hat's OpenJDK 11 for Linux as supplied under Red Hat Enterprise Linux 8 or Rocky Linux 8
Red Hat’s OpenJDK 17 for Linux as supplied under Red Hat Enterprise Linux 8 or Rocky Linux 8
The following distributions are partially supported:
Debian's OpenJDK 11 as supplied under Debian 10 "buster"
Debian’s OpenJDK 11 as supplied under Debian 11 “bullseye”
We will also test the following, although they are not supported:
Any Oracle OpenJDK builds currently available from jdk.java.net which are in the early access "Rampdown Phase One" phase or later. Note that we will not necessarily always test the most recent build of these versions, given the high frequency of release. (currently: none)
We no longer test against recent non-LTS versions of Java, as they are incompatible with the version of Spring Framework used.
Rationale by Distribution
This section discusses each distribution so as to give a brief rationale for its level of support.
We have historically recommended the use of Oracle's "standard" JDK on all platforms. Prior to Java 8, one reason for this was that some deployers have had problems with the OpenJDK implementations shipped by various vendors, including memory leaks.
Since that time, however, two important changes mean that we no longer take this position:
A licensing change means that although Oracle's JDK releases are still available for free use by developers, they are no longer free for production use.
Note that this situation has again changed as of Java 17, for which Oracle have introduced a new free Java license.
The Oracle JDK and OpenJDK code bases have come much closer together, such that we no longer anticipate large functional differences between the two.
As a result, we no longer anticipate that the majority of our deployers will go to production using Oracle's product, and it therefore makes less sense for us to regard it as the "canonical" version of Java in production. At least for our customers, that is now more likely to be some flavour of OpenJDK.
Oracle produces OpenJDK builds through the early development phases of each new version of Java. As these provide the best available indication of the contents of the new version, we test these builds as part of our long term support of the evolution of Java, but we do not support these builds for production use.
Note that Oracle OpenJDK builds only exist during the early access stage of a new release to around six months after general availability. After this time, Oracle ceases OpenJDK builds and the previous ones are no longer available.
Amazon Corretto provides builds of both OpenJDK 8 and OpenJDK 11 for our two most important deployment platforms (Linux and Windows) in both "real installer" and "tarball" packages. This makes it a good distribution for us to recommend to our deployers. In addition, they provide similar builds for macOS, which is important to several of us as developers.
The Corretto documentation provides information about the specific patches applied by Amazon to the upstream generic OpenJDK release, which provides a reassuring level of transparency.
There is no cost to use Amazon Corretto in production. It is used internally by Amazon for its own services.
We have selected Corretto as the current best all-round Java distribution for our own use, and for our deployers.
Red Hat have a critical role in the JDK updates projects for both Java 8 and Java 11. They provide only two OpenJDK builds themselves, however: for Red Hat Enterprise Linux, and for Windows.
We anticipate that Red Hat's "vendor" OpenJDK distribution for their own Red Hat Enterprise Linux will be used by many of our deployers simply because of the convenience factor. We therefore support the use of Red Hat's OpenJDK distributions in this context.
We do not support Red Hat's OpenJDK releases for Windows at this time, and we do not test against them.
OpenJDK 8 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 7+) until May 2026.
OpenJDK 11 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 7+) until October 2024.
OpenJDK 17 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 8.5+) until October 2027.
Red Hat Enterprise Linux “Rebuilds”
There are several Linux distributions available which purport to be direct “bug for bug” rebuilds of versions of Red Hat Enterprise Linux. In general, these behave identically to the upstream RHEL release but we have on occasion noted differences between them, in particular in the timing of availability of a particular OpenJDK release to each distribution. This means that, given the variety available, we are unable to fully support all RHEL rebuild distributions. We do fully support one specific rebuild distribution counterpart for each supported RHEL release:
As a counterpart to RHEL 7, we fully support CentOS 7.
As a counterpart to RHEL 8, we fully support Rocky Linux 8.
Debian 9, also known as "stretch", the “oldoldstable” release at 2021-08-23, ships a vendor-supplied OpenJDK 8 only. This is partially supported for the Java 7 platform and IdP v3, but is obviously ineligible for any support for the Java 11 platform and IdP v4.
Note, however, that Amazon Corretto 11 is fully supported under Linux generically and is available in .deb packaging. It may therefore be suitable for deployers using Debian 9 but we do not test this specific combination.
Debian 10, also known as "buster", the “oldstable” release at 2021-08-23, ships a vendor-supplied OpenJDK 11 only. This is partially supported for both the Java 11 platform and IdP v4, and for the Java 7 platform and IdP v3.