[
https://issues.apache.org/jira/browse/UIMA-5727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jerry Cwiklik closed UIMA-5727.
-------------------------------
Resolution: Fixed
Modified to reset xstream to avoid warning msgs on stdout
> UIMA-DUCC: fix XStream warning msgs
> -----------------------------------
>
> Key: UIMA-5727
> URL: https://issues.apache.org/jira/browse/UIMA-5727
> Project: UIMA
> Issue Type: Bug
> Components: DUCC
> Reporter: Jerry Cwiklik
> Assignee: Jerry Cwiklik
> Priority: Major
> Fix For: 2.2.2-Ducc
>
>
> After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped
> to stdout when running various ducc things:
> "Security framework of XStream not initialized, XStream is probably
> vulnerable."
> Seeing these when running ducc_submit. Also in JD log. The new XStream is
> configured by default to run without security but dumps the above every time
> xml serialization/deserialization is done. All is working fine except for
> these warning msgs.
> The simplest way to fix that is to override XStream defaults and to whitelist
> everything. I actually tried that by changing XStreamUtils and
> DuccEventHttpDispatcherCl. No more annoying msgs.
> Perhaps a better (more secure way) is to white list specific classes/packages
> when serializing/deserializing ducc msgs. This may take time to get it right.
> We need to list all types which are allowed including java classes. I think
> we only serialize DUCC classes (event classes) + java primitives + java
> collections (Map, Lists, etc)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
