[ 
https://issues.apache.org/jira/browse/UIMA-5727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jerry Cwiklik closed UIMA-5727.
-------------------------------
    Resolution: Fixed

Modified to reset xstream to avoid warning msgs on stdout

> UIMA-DUCC: fix XStream warning msgs
> -----------------------------------
>
>                 Key: UIMA-5727
>                 URL: https://issues.apache.org/jira/browse/UIMA-5727
>             Project: UIMA
>          Issue Type: Bug
>          Components: DUCC
>            Reporter: Jerry Cwiklik
>            Assignee: Jerry Cwiklik
>            Priority: Major
>             Fix For: 2.2.2-Ducc
>
>
> After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped 
> to stdout when running various ducc things:
> "Security framework of XStream not initialized, XStream is probably 
> vulnerable."
> Seeing these when running ducc_submit. Also in JD log. The new XStream is 
> configured by default  to run without security but dumps the above every time 
> xml serialization/deserialization is done. All is working fine except for 
> these warning msgs.
> The simplest way to fix that is to override XStream defaults and to whitelist 
> everything. I actually tried that by changing XStreamUtils and 
> DuccEventHttpDispatcherCl. No more annoying msgs.
> Perhaps a better (more secure way) is to white list specific classes/packages 
> when serializing/deserializing ducc msgs. This may take time to get it right. 
> We need to list all types which are allowed including java classes. I think 
> we only serialize DUCC classes (event classes) + java primitives + java 
> collections (Map, Lists, etc)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to