You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by "Jerry Cwiklik (JIRA)" <de...@uima.apache.org> on 2018/02/11 20:07:00 UTC
[jira] [Created] (UIMA-5727) UIMA-DUCC: fix XStream warning msgs
Jerry Cwiklik created UIMA-5727:
-----------------------------------
Summary: UIMA-DUCC: fix XStream warning msgs
Key: UIMA-5727
URL: https://issues.apache.org/jira/browse/UIMA-5727
Project: UIMA
Issue Type: Bug
Components: DUCC
Reporter: Jerry Cwiklik
Assignee: Jerry Cwiklik
Fix For: 2.2.2-Ducc
After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped to stdout when running various ducc things:
"Security framework of XStream not initialized, XStream is probably vulnerable."
Seeing these when running ducc_submit. Also in JD log. The new XStream is configured by default to run without security but dumps the above every time xml serialization/deserialization is done. All is working fine except for these warning msgs.
The simplest way to fix that is to override XStream defaults and to whitelist everything. I actually tried that by changing XStreamUtils and DuccEventHttpDispatcherCl. No more annoying msgs.
Perhaps a better (more secure way) is to white list specific classes/packages when serializing/deserializing ducc msgs. This may take time to get it right. We need to list all types which are allowed including java classes. I think we only serialize DUCC classes (event classes) + java primitives + java collections (Map, Lists, etc)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)