diff --git a/build.gradle.kts b/build.gradle.kts
index 6f1cc3951..148376f79 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -392,6 +392,9 @@ allprojects {
                 options.encoding = "UTF-8"
             }
             withType<Test>().configureEach {
+                if (JavaVersion.current() >= JavaVersion.VERSION_23) {
+                    jvmArgs("-Djava.security.manager=allow")
+                }
                 testLogging {
                     exceptionFormat = TestExceptionFormat.FULL
                     showStandardStreams = true
diff --git a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java
index 123f82170..c5f5e1039 100644
--- a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java
+++ b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java
@@ -33,7 +33,13 @@ public DoAsAvaticaHttpClient(AvaticaHttpClient wrapped, KerberosConnection kerbe
     this.kerberosUtil = Objects.requireNonNull(kerberosUtil);
   }
 
-  @Override public byte[] send(final byte[] request) {
+  // Subject.doAs is deprecated and does not work in JDK23+ unless the (also deprecated)
+  // SecurityManager is enabled. However, the replacement API is not available in JDK8,
+  // so as a workaround we require enabling the securityManager on JDK23+.
+  // Also see https://issues.apache.org/jira/browse/CALCITE-6590 and https://openjdk.org/jeps/411
+  // This class is used with Hadoop, which has the same issue.
+  @Override @SuppressWarnings("removal")
+  public byte[] send(final byte[] request) {
     return Subject.doAs(kerberosUtil.getSubject(), new PrivilegedAction<byte[]>() {
       @Override public byte[] run() {
         return wrapped.send(request);
diff --git a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java
index 03857d8e4..42c2c5fa4 100644
--- a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java
+++ b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java
@@ -133,6 +133,13 @@ public static void writeSpnegoConf(File configFile, File serverKeytab)
     }
   }
 
+  // Subject.doAs is deprecated and does not work in JDK23+ unless the (also deprecated)
+  // SecurityManager is enabled. However, the replacement API is not available in JDK8,
+  // so as a workaround we require enabling the securityManager on JDK23+.
+  // Also see https://issues.apache.org/jira/browse/CALCITE-6590 and https://openjdk.org/jeps/411
+  // We add the "-Djava.security.manager=allow" cli option for tests when running with JDK23+
+  // so that this keeps working.
+  @SuppressWarnings("removal")
   public static void refreshJaasConfiguration() {
     // This is *extremely* important to make sure we get the right Configuration instance.
     // Configuration keeps a static instance of Configuration that it will return once it