Axon 4 XStream configuration

Asked 22/3, 2019 at 11:25 Answered 26/3, 2019 at 8:20

When running my Spring Boot app which includes Axon 4 I see the following in my output console:

Security framework of XStream not initialized, XStream is probably vulnerable.

How do I go about securing the XStream included in Axon 4?

For clarification, I am speaking about how to configure the XStream that Axon 4 uses. I am not certain if this should be done in the YAML file or in one of the Configuration classes. Every where I have tried the information detailed in this answer does not affect the XStream configuration and I still get the same warning.

Update: Based on the answers below, this question seems to be two fold. Thanks to the answers below I managed to get this working as follows (based on information posted at this answer):

    //AxonConfig.java
    @Bean
    XStream xstream(){
        XStream xstream = new XStream();
        // clear out existing permissions and set own ones
        xstream.addPermission(NoTypePermission.NONE);
        // allow any type from the same package
        xstream.allowTypesByWildcard(new String[] {
                "com.ourpackages.**",
                "org.axonframework.**",
                "java.**",
                "com.thoughtworks.xstream.**"
        });

        return xstream;
    }

    @Bean
    @Primary
    public Serializer serializer(XStream xStream) {
        return XStreamSerializer.builder().xStream(xStream).build();
    }

I didn't want to answer my own question as I think Jan got the correct answer combined with Steven pointing to the Spring Boot config.

I am certain I will need to whittle away at the package scopes and will do so in due course. Thanks Jan and Steven for your assistance.

Anorexia answered 22/3, 2019 at 11:25 Comment(0)

This is not Axon specific, check this question for background and solution: Security framework of XStream not initialized, XStream is probably vulnerable

Kish answered 22/3, 2019 at 12:28 Comment(1)

Thanks for this but I am still not certain how / where to make those configuration calls for axon to pick it up. I read this answer previously but couldn't figure out where to put it in the initialization sequence. – Anorexia 22/3, 2019 at 13:52

Jan Galinski is right in that this isn't an Axon specific issue per say. More so a shift within the XStream package. Regardless, the link Jan shares is very valuable.

From there, you can create your own XStream object, instead of using the one the XStreamSerializer creates for you when utilizing Axon. You can then feed that object to the builder() of the XStreamSerializer.

As you are using Spring Boot too, simply having a bean creation function like so would suffice:

// The XStream should be configured in such a way that a security solution is provided
@Bean
public Serializer serializer(XStream xStream) {
    return XStreamSerializer.builder().xStream(xStream).build();
}

Hope this helps!

Bizet answered 26/3, 2019 at 8:20 Comment(2)

Thanks for this. Perhaps the way I phrased the question led to the confusion. In hind sight I think it was probably two questions rolled into one. Jan kindly answered the first question and you answered the second question. I understand the XStream serializer is not an Axon library but as it is included in the Axon libraries perhaps it would be a good idea to list the packages that XStream will need access to? The only way I figured this out was run -> fail -> change -> etc. I appreciate that everyone is super busy and thank you for taking the time to point me in the right direction – Anorexia 26/3, 2019 at 10:25

Fair suggestion their Kenneth - I agree there are still improvements to be made in regards to the set up of the XStreamSerializer. I can assure you this is still on AxonIQ's radar. – Bizet 27/3, 2019 at 9:32

Recommended topics

Hot tags