Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Issue with x-stream where com.thoughtworks.xstream.security.ForbiddenClassException is thrown

See original GitHub issue

Basic information

Axon Framework version: 4.6.0
JDK version: 17
Complete executable reproducer if available (e.g. GitHub Repo): video-series-app

Steps to reproduce

Start my project on version 1.4.19 of x-stream and you’ll find this exception:

query_1     | com.thoughtworks.xstream.security.ForbiddenClassException: org.jesperancinha.video.core.events.AddSeriesEvent
query_1     |   at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26) ~[xstream-1.4.19.jar!/:1.4.19]
query_1     |   at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74) ~[xstream-1.4.19.jar!/:1.4.19]
query_1     |   at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125) ~[xstream-1.4.19.jar!/:1.4.19]
query_1     |   at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47) ~[xstream-1.4.19.jar!/:1.4.19]
query_1     |   at org.axonframework.serialization.AbstractXStreamSerializer.classForType(AbstractXStreamSerializer.java:170) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1     |   at org.axonframework.serialization.LazyDeserializingObject.<init>(LazyDeserializingObject.java:83) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1     |   at org.axonframework.eventhandling.EventUtils.lambda$upcastAndDeserializeTrackedEvents$1(EventUtils.java:107) ~[axon-messaging-4.6.0.jar!/:4.6.0]
query_1     |   at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
query_1     |   at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
query_1     |   at org.axonframework.eventsourcing.eventstore.BatchingEventStorageEngine$EventStreamSpliterator.tryAdvance(BatchingEventStorageEngine.java:289) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1     |   at java.base/java.util.Spliterator.forEachRemaining(Spliterator.java:332) ~[na:na]
query_1     |   at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[na:na]
query_1     |   at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[na:na]
query_1     |   at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) ~[na:na]
query_1     |   at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) ~[na:na]
query_1     |   at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
query_1     |   at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596) ~[na:na]
query_1     |   at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.fetchData(EmbeddedEventStore.java:254) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1     |   at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.run(EmbeddedEventStore.java:220) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1     |   at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore$EventProducer.access$2800(EmbeddedEventStore.java:198) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1     |   at org.axonframework.eventsourcing.eventstore.EmbeddedEventStore.lambda$ensureProducerStarted$0(EmbeddedEventStore.java:147) ~[axon-eventsourcing-4.6.0.jar!/:4.6.0]
query_1     |   at java.base/java.lang.Thread.run(Thread.java:1589) ~[na:na]
query_1     |

Expected behaviour

I do not want forbidden classes in my project

Actual behaviour

x-stream tries to forbid everything and nothing gets serialized. Someone else opened an issue about this same issue on the x-stream repository here 1.4.18 version breaking JMapper with com.thoughtworks.xstream.security.ForbiddenClassException: com.googlecode.jmapper.xml.beans.XmlJmapper #270 . However they say that they have a clear documentation about this, which I checked, but the documentation says nothing about how this should work with other frameworks like Axon or Spring and so I don’t know how to fix this at the moment. I reverted the changes for the x-stream update back to 1.4.17. Anything above will conflict wih Axon.

Issue Analytics

State:
Created a year ago
Comments:9 (5 by maintainers)

Top GitHub Comments

1reaction

jesperancinhacommented, Sep 19, 2022

Hi there @smcvb, thanks so much for the detailed explanation and suggestions. I was already thinking about removing XStream because none of the issues I’m facing with this are related to the goal of my project at all. I will change the project to use an alternative to Mongo and I will try to use your JacksonSerializer. I really have no reason to keep using XStream at all and JDK17 is really something that I want to keep using. I will not spend any more time trying to get XStream to work with my project at the moment because it’s already clear to me that it will be very difficult to get it to work with JDK17, if possible at all.

0reactions

smcvbcommented, Sep 20, 2022

Of course, @jesperancinha, glad to help you out here. 😃 I’m confident that moving towards the JacksonSerializer will solve your issues. If they do not, or if you face other issues around this topic, be sure to reach out!!