Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Warning about XStream after upgrading Axon version

See original GitHub issue

Basic information

Axon Framework version: 4.5.9
JDK version: 17
Kafka extension version: 4.5.3
Spring boot version: 2.6.6

After upgrading the Axon version from 4.5.3 to 4.5.9, we are getting the console warning: An unsecured XStream instance allowing all types is used. It is strongly recommended to set the security context yourself instead., even we don’t use XStream, we use Jackson instead.

Steps to reproduce

In application.properties we set general serializer to jackson axon.serializer.general=jackson

Setting serializer using Spring boot configuration class didn’t help. Code used for this:

@Configuration
public class SerializerConfiguration {

   @Bean
   public Serializer defaultSerializer() {
      return JacksonSerializer.defaultSerializer();
   }
}

I have also tried to create XStream bean, but it also didn’t help

@Configuration
public class AxonConfig {
 
    @Bean
    public XStream xStream() {
        XStream xStream = new XStream();
      
        xStream.allowTypesByWildcard(new String[] {
                "our.package.**"
        });
        return xStream;
    }
}

Expected behaviour

Application up and running without any warnings.

Actual behaviour

Warning when starting application:

2022-04-12 15:39:18.300 WARN [dealer-command-server,,] 34196 --- [ main] o.a.serialization.xml.XStreamSerializer : An unsecured XStream instance allowing all types is used. It is strongly recommended to set the security context yourself instead!

Issue Analytics

State:
Created a year ago
Comments:6 (4 by maintainers)

Top GitHub Comments

2reactions

lfgcamposcommented, Apr 26, 2022

Hi @Corke123, I believe the fix we pushed to https://github.com/AxonFramework/extension-kafka/pull/280 should solve your problem.

By making the serializer lazy, we should not start XStream automatically but only if you don’t provide your own Serializer. By doing so, the initialization message/warn should not pop-up anymore.

Keep an eye for the next extension-kafka release and let us know if that indeed fixed the problem for you!

1reaction

ivanseniccommented, Oct 3, 2022

Sorry completely forgot to share, works now, I am not sure if it’s the last released version or one before that I tested with, but anyway the issue does not exist anymore.

Top Results From Across the Web

Axon Framework - Release 4.5.4

First and foremost, we updated the XStream version to 1.4.18. This upgrade was a requirement since several CVE's were noted for XStream version...

Axon 4 XStream configuration - spring boot - Stack Overflow

Every where I have tried the information detailed in this answer does not affect the XStream configuration and I still get the same...

Upgrading from 1.2 to 2.x - Google Groups

Spring config editor in eclipse showing following error. No constructor with 0 arguments defined in class 'org.axonframework.saga.repository.jpa.

Lessons learned with AxonFramework | by Benoît Liessens

In preparation of the new features the team will be developing it's a good time to upgrade Axon 2.4 to version 3.x.

Change History - XStream

This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling with XStream instances ...