uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry Cwiklik (JIRA)" <...@uima.apache.org>
Subject [jira] [Closed] (UIMA-5727) UIMA-DUCC: fix XStream warning msgs
Date Mon, 12 Feb 2018 21:19:00 GMT

     [ https://issues.apache.org/jira/browse/UIMA-5727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jerry Cwiklik closed UIMA-5727.
-------------------------------
    Resolution: Fixed

Modified to reset xstream to avoid warning msgs on stdout

> UIMA-DUCC: fix XStream warning msgs
> -----------------------------------
>
>                 Key: UIMA-5727
>                 URL: https://issues.apache.org/jira/browse/UIMA-5727
>             Project: UIMA
>          Issue Type: Bug
>          Components: DUCC
>            Reporter: Jerry Cwiklik
>            Assignee: Jerry Cwiklik
>            Priority: Major
>             Fix For: 2.2.2-Ducc
>
>
> After upgrading xstream to 1.4.10 (bundled with AMQ 5.15.2) msgs are dumped to stdout
when running various ducc things:
> "Security framework of XStream not initialized, XStream is probably vulnerable."
> Seeing these when running ducc_submit. Also in JD log. The new XStream is configured
by default  to run without security but dumps the above every time xml serialization/deserialization
is done. All is working fine except for these warning msgs.
> The simplest way to fix that is to override XStream defaults and to whitelist everything.
I actually tried that by changing XStreamUtils and DuccEventHttpDispatcherCl. No more annoying
msgs.
> Perhaps a better (more secure way) is to white list specific classes/packages when serializing/deserializing
ducc msgs. This may take time to get it right. We need to list all types which are allowed
including java classes. I think we only serialize DUCC classes (event classes) + java primitives
+ java collections (Map, Lists, etc)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message