Issue with x-stream where com.thoughtworks.xstream.security.ForbiddenClassException is thrown
See original GitHub issueBasic information
- Axon Framework version: 4.6.0
- JDK version: 17
- Complete executable reproducer if available (e.g. GitHub Repo): video-series-app
Steps to reproduce
Start my project on version 1.4.19 of x-stream and you’ll find this exception:
query_1 | com.thoughtworks.xstream.security.ForbiddenClassException: org.jesperancinha.video.core.events.AddSeriesEvent
query_1 | at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26) ~[xstream-1.4.19.jar!/:1.4.19]
query_1 | at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74) ~[xstream-1.4.19.jar!/:1.4.19]
query_1 | at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125) ~[xstream-1.4.19.jar!/:1.4.19]
query_1 | at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47) ~[xstream-1.4.19.jar!/:1.4.19]
query_1 | at org.axonframework.serialization.AbstractXStreamSerializer.classForType(AbstractXStreamSerializer.java:170) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1 | at org.axonframework.serialization.LazyDeserializingObject.<init>(LazyDeserializingObject.java:83) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1 | at org.axonframework.eventhandling.EventUtils.lambda$upcastAndDeserializeTrackedEvents$1(EventUtils.java:107) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1 | at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
query_1 | at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
query_1 | at org.axonframework.eventsourcing.eventstore.BatchingEventStorageEngine$EventStreamSpliterator.tryAdvance(BatchingEventStorageEngine.java:289) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1 | at java.base/java.util.Spliterator.forEachRemaining(Spliterator.java:332) ~[na:na]
query_1 | at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[na:na]
query_1 | at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[na:na]
query_1 | at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) ~[na:na]
query_1 | at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) ~[na:na]
query_1 | at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
query_1 | at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596) ~[na:na]
query_1 | at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.fetchData(EmbeddedEventStore.java:254) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1 | at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.run(EmbeddedEventStore.java:220) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1 | at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.access$2800(EmbeddedEventStore.java:198) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1 | at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore.lambda$ensureProducerStarted$0(EmbeddedEventStore.java:147) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1 | at java.base/java.lang.Thread.run(Thread.java:1589) ~[na:na]
query_1 |
Expected behaviour
I do not want forbidden classes in my project
Actual behaviour
x-stream tries to forbid everything and nothing gets serialized. Someone else opened an issue about this same issue on the x-stream repository here 1.4.18 version breaking JMapper with com.thoughtworks.xstream.security.ForbiddenClassException: com.googlecode.jmapper.xml.beans.XmlJmapper #270 . However they say that they have a clear documentation about this, which I checked, but the documentation says nothing about how this should work with other frameworks like Axon or Spring and so I don’t know how to fix this at the moment. I reverted the changes for the x-stream update back to 1.4.17. Anything above will conflict wih Axon.
Issue Analytics
- State:
- Created a year ago
- Comments:9 (5 by maintainers)
Top GitHub Comments
Hi there @smcvb, thanks so much for the detailed explanation and suggestions. I was already thinking about removing
XStream
because none of the issues I’m facing with this are related to the goal of my project at all. I will change the project to use an alternative to Mongo and I will try to use yourJacksonSerializer
. I really have no reason to keep usingXStream
at all and JDK17 is really something that I want to keep using. I will not spend any more time trying to getXStream
to work with my project at the moment because it’s already clear to me that it will be very difficult to get it to work with JDK17, if possible at all.Of course, @jesperancinha, glad to help you out here. 😃 I’m confident that moving towards the
JacksonSerializer
will solve your issues. If they do not, or if you face other issues around this topic, be sure to reach out!!