You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@uima.apache.org by "Jerry Cwiklik (JIRA)" <de...@uima.apache.org> on 2018/02/11 20:07:00 UTC

[jira] [Created] (UIMA-5727) UIMA-DUCC: fix XStream warning msgs

Jerry Cwiklik created UIMA-5727:
-----------------------------------

             Summary: UIMA-DUCC: fix XStream warning msgs
                 Key: UIMA-5727
                 URL: https://issues.apache.org/jira/browse/UIMA-5727
             Project: UIMA
          Issue Type: Bug
          Components: DUCC
            Reporter: Jerry Cwiklik
            Assignee: Jerry Cwiklik
             Fix For: 2.2.2-Ducc


After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped to stdout when running various ducc things:

"Security framework of XStream not initialized, XStream is probably vulnerable."

Seeing these when running ducc_submit. Also in JD log. The new XStream is configured by default  to run without security but dumps the above every time xml serialization/deserialization is done. All is working fine except for these warning msgs.

The simplest way to fix that is to override XStream defaults and to whitelist everything. I actually tried that by changing XStreamUtils and DuccEventHttpDispatcherCl. No more annoying msgs.

Perhaps a better (more secure way) is to white list specific classes/packages when serializing/deserializing ducc msgs. This may take time to get it right. We need to list all types which are allowed including java classes. I think we only serialize DUCC classes (event classes) + java primitives + java collections (Map, Lists, etc)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)