A default XStreamSerializer is used for events, without specifying the security context

Configure Security Context in a Spring Boot with MongoDB Extension…

I get the following WARN and do not figure out how to configure the Security Context

2022-02-06 14:36:37.485  WARN 23153 --- [           main] o.a.e.e.AbstractEventStorageEngine       : The default XStreamSerializer is used for events, whereas it is strongly recommended to configure the security context of the XStream instance.

org.axonframework.common.AxonConfigurationException: A default XStreamSerializer is used for events, without specifying the security context
...
...
2022-02-06 14:36:37.486  WARN 23153 --- [           main] o.a.e.e.AbstractEventStorageEngine       : The default XStreamSerializer is used for snapshots, whereas it is strongly recommended to configure the security context of the XStream instance.

org.axonframework.common.AxonConfigurationException: A default XStreamSerializer is used for snapshots, without specifying the security context
	at org.axonframework.eventsourcing.eventstore.AbstractEventStorageEngine$Builder.validate(AbstractEventStorageEngine.java:369) ~[axon-eventsourcing-4.5.8.jar:4.5.8]
	
// Axon Extensions MongoDb
implementation("org.axonframework.extensions.mongo:axon-mongo:4.5")

GitHub > https://github.com/marzelwidmer/kboot-axon/tree/axon_mongodb_extension

Is this the way to go ?

   @Bean
    fun storageEngine(client: MongoClient?): EventStorageEngine? {
        return MongoEventStorageEngine.builder()
            .eventSerializer(
                JacksonSerializer.builder()
                    .defaultTyping()
                    .build()
            )
            .snapshotSerializer(
                JacksonSerializer.builder()
                    .defaultTyping()
                    .build()
            )
            .mongoTemplate(
                DefaultMongoTemplate
                    .builder()
                    .mongoDatabase(client)
                    .build()
            ).build()
    }

I was trying to configure it like


axon:
  serializer:
    general: jackson
    messages: jackson
    events: jackson

But this was not working…

Hello and welcome to the Axon community @c3smonkey !

It is a known issue. My recommendation is to secure the XStream instead of switching to Jackson. You can do so by configuring the classes it has access to. Here is an adapted example from a demo app I have. First, create a SecureXStreamSerializer:

public class SecureXStreamSerializer {

	private static XStreamSerializer _instance;
	
	public static XStreamSerializer get() {
		if (_instance == null) {
			_instance = secureXStreamSerializer();
		}
		return _instance;
	}
	
	private static XStreamSerializer secureXStreamSerializer() {
		XStream xStream = new XStream();
		xStream.setClassLoader(SecureXStreamSerializer.class.getClassLoader());
		xStream.allowTypesByWildcard(new String[]{
			"org.axonframework.**",
			"THE.PACKAGE.OF.YOUR.APPLICATION.**",
			"OTHER.PACKAGES.HAVING.SERIALIZABLE.CLASSES.**",
			...
		});
		return XStreamSerializer.builder().xStream(xStream).build();
	}

}

Then configure the framework to use it:

   DefaultConfigurer.defaultConfiguration()
      .configureSerializer(configuration -> SecureXStreamSerializer.get())
      .configureMessageSerializer(configuration -> SecureXStreamSerializer.get())
      .configureEventSerializer(configuration -> SecureXStreamSerializer.get());

I hope this helps. It uses Java and Axon’s configuration API. I hope you can adapt the above code to your case.

1 Like

Thank I use now the SecureXStreamSerializer It will be nice to store JSON but I got some Issues with Jackson still.

I configure It like below :


@SpringBootApplication
class KbootAxon {
    @Bean
    fun eventStore(storageEngine: EventStorageEngine?, configuration: AxonConfiguration): EmbeddedEventStore? {
        return EmbeddedEventStore.builder()
            .storageEngine(storageEngine)
            .messageMonitor(configuration.messageMonitor(EventStore::class.java, "eventStore"))
            .build()
    }
    // The `MongoEventStorageEngine` stores each event in a separate MongoDB document
    @Bean
    fun storageEngine(client: MongoClient?): EventStorageEngine? {
        return MongoEventStorageEngine.builder()
            .eventSerializer(
                XStreamSerializer.builder()
                    .xStream(SecureXStreamSerializer.xStream())
                    .build()

            )
            .snapshotSerializer(
                XStreamSerializer.builder()
                    .xStream(SecureXStreamSerializer.xStream())
                    .build()
            )
            .mongoTemplate(
                DefaultMongoTemplate
                    .builder()
                    .mongoDatabase(client)
                    .build()
            ).build()
    }
}
object SecureXStreamSerializer {
    fun xStream(): XStream {
        val xStream = XStream()
        xStream.classLoader = SecureXStreamSerializer::class.java.classLoader
        xStream.allowTypesByWildcard(
            arrayOf(
                "org.axonframework.**",
                "**",
            )
        )
        return XStreamSerializer.builder().xStream(xStream).build().xStream
    }
}

fun main(args: Array<String>) {
    runApplication<KbootAxon>(*args)
}

Can you please provide some more information about the issues?

I think this is my root problem. have a Repo to reproduce it . see : Axon MongoDB Extension with Jackson Snapshot configuration