Hi,
We are constantly getting the following message in our logs:
Security framework of XStream not initialized, XStream is probably vulnerable
I think I have a good idea on how to get rid of this message, but how do I get hold of the instance of XStream that is used to serialize objects in Axon?
We’re using Spring, so I have naively tried to autowire XStream in our application config, but no bean of that type is available for injection…
Best regards,
Andreas
In class XStreamSerializer:
private Builder() {
xStream(new XStream(new CompactDriver()));
}
Then autowire the XStreamSerializer, and call getXStream()..
Thanks Cristophe,
Ended up with the below. Obviously the same object of XStreamSerializer is available as two beans; “messageSerializer” and “eventSerializer”.
@Autowired
@Qualifier(“messageSerializer”)
private XStreamSerializer messageSerializer;
@PostConstruct
private void initXStream() {
XStream.setupDefaultSecurity(messageSerializer.getXStream());
messageSerializer.getXStream().addPermission(AnyTypePermission.ANY);
}