uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry Cwiklik (JIRA)" <...@uima.apache.org>
Subject [jira] [Created] (UIMA-5727) UIMA-DUCC: fix XStream warning msgs
Date Sun, 11 Feb 2018 20:07:00 GMT
Jerry Cwiklik created UIMA-5727:
-----------------------------------

             Summary: UIMA-DUCC: fix XStream warning msgs
                 Key: UIMA-5727
                 URL: https://issues.apache.org/jira/browse/UIMA-5727
             Project: UIMA
          Issue Type: Bug
          Components: DUCC
            Reporter: Jerry Cwiklik
            Assignee: Jerry Cwiklik
             Fix For: 2.2.2-Ducc


After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped to stdout when
running various ducc things:

"Security framework of XStream not initialized, XStream is probably vulnerable."

Seeing these when running ducc_submit. Also in JD log. The new XStream is configured by default 
to run without security but dumps the above every time xml serialization/deserialization is
done. All is working fine except for these warning msgs.

The simplest way to fix that is to override XStream defaults and to whitelist everything.
I actually tried that by changing XStreamUtils and DuccEventHttpDispatcherCl. No more annoying
msgs.

Perhaps a better (more secure way) is to white list specific classes/packages when serializing/deserializing
ducc msgs. This may take time to get it right. We need to list all types which are allowed
including java classes. I think we only serialize DUCC classes (event classes) + java primitives
+ java collections (Map, Lists, etc)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message