JpaSagaStore cannot be used without XStream
See original GitHub issueBasic information
- Axon Framework version: 4.6.1
- JDK version: 11
Steps to reproduce
Create a simple Spring Boot Application using the axon-spring-boot-starter with excluded XStream:
<dependency>
<groupId>org.axonframework</groupId>
<artifactId>axon-spring-boot-starter</artifactId>
<version>4.6.1</version>
<exclusions>
<exclusion>
<groupId>org.axonframework</groupId>
<artifactId>axon-server-connector</artifactId>
</exclusion>
<exclusion>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
</exclusion>
</exclusions>
</dependency>
Make sure that all serializers are set to jackson:
axon.serializer.general=jackson
axon.serializer.events=jackson
axon.serializer.messages=jackson
Create a single saga component.
@Saga
public class MySaga {
}
Expected behaviour
The application starts.
Actual behaviour
The application crashes due to a missing class.
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.axonframework.modelling.saga.repository.jpa.JpaSagaStore]: Factory method ‘sagaStore’ threw exception; nested exception is java.lang.NoClassDefFoundError: com/thoughtworks/xstream/io/HierarchicalStreamDriver at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.22.jar:5.3.22] at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.22.jar:5.3.22] … 64 common frames omitted Caused by: java.lang.NoClassDefFoundError: com/thoughtworks/xstream/io/HierarchicalStreamDriver at org.axonframework.modelling.saga.repository.jpa.JpaSagaStore.builder(JpaSagaStore.java:127) ~[axon-modelling-4.6.1.jar:4.6.1] at org.axonframework.springboot.autoconfig.JpaAutoConfiguration.sagaStore(JpaAutoConfiguration.java:73) ~[axon-spring-boot-autoconfigure-4.6.1.jar:4.6.1] at org.axonframework.springboot.autoconfig.JpaAutoConfiguration$$EnhancerBySpringCGLIB$$9906b0de.CGLIB$sagaStore$2(<generated>) ~[axon-spring-boot-autoconfigure-4.6.1.jar:4.6.1] at org.axonframework.springboot.autoconfig.JpaAutoConfiguration$$EnhancerBySpringCGLIB$$9906b0de$$FastClassBySpringCGLIB$$23b377e4.invoke(<generated>) ~[axon-spring-boot-autoconfigure-4.6.1.jar:4.6.1] at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.22.jar:5.3.22] at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.22.jar:5.3.22] at org.axonframework.springboot.autoconfig.JpaAutoConfiguration$$EnhancerBySpringCGLIB$$9906b0de.sagaStore(<generated>) ~[axon-spring-boot-autoconfigure-4.6.1.jar:4.6.1] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na] at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na] at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.22.jar:5.3.22] … 65 common frames omitted Caused by: java.lang.ClassNotFoundException: com.thoughtworks.xstream.io.HierarchicalStreamDriver at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) ~[na:na] at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) ~[na:na] at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ~[na:na] … 77 common frames omitted
Note
This is basically the same issue as in #2364 just with the Saga store.
Issue Analytics
- State:
- Created a year ago
- Comments:7 (7 by maintainers)
Top GitHub Comments
Hi @smcvb,
I tested with the mentioned Snapshot and can confirm that the corresponding tests are now green even with excluded XStream. Thank you for the quick fix.
Hi @smcvb,
To be honest, this is almost a showstopper for us and means that we can use neither Axon 4.6.0 nor 4.6.1. We cannot deliver an application which contains XStream, even if it isn’t used. XStream contains way too many security issues and we classify it as a security risk just by being in the classpath.
I am actually surprised by the low priority, because the same issue regarding the event store (#2364) was classified as priority 1.
Best regards
Nils