Getting xstream dependency exception

KaruppuKoki · September 30, 2021, 6:51pm

Hi Team,

Developing sample applications to learn AXON framework.

Project Details,

spring boot version 2.5.5

<java.version>11</java.version>
<spring-cloud.version>2020.0.4</spring-cloud.version>

org.axonframework axon-spring-boot-starter 4.5.3

Facing Issue:
com.thoughtworks.xstream.security.ForbiddenClassException: org.axonframework.eventhandling.GapAwareTrackingToken

Steven_van_Beelen · October 1, 2021, 7:56am

Due to recent changes on XStream’s end, a lot of the reflection they do to figure out how to deserialize and serialize objects is blocked off.

This problem has resulted in an expanded version update on our end, that sadly enough, forces Axon’s users to define an XStream instance themselves if they’re not using Spring Boot.
In a Spring Boot application, Axon Framework will search your ComponentScan (meta-)annotated beans and add the classes to the security context.
FYI, you can find the issue here.

Nonetheless, this doesn’t solve your issue directly.
I believe that Spring Boot 2.5.5 has something to do with JDK 17.
Note that Axon isn’t JDK17 ready yet, partially due to the aforementioned XStream situation.

I’d thus recommend using Spring Boot 2.5.4 for now.
And, stick to JDK 11 for the time being as well.

bbrinx · November 21, 2021, 3:45pm

Hi steven,

is there any news on this? As far as I know there is no arm64 compatible JDK11, so that is not an option for us. Running JDK 17 and Spring Boot 2.5.4 does not solve the issue unfortunately.

Steven_van_Beelen · November 22, 2021, 11:04am

Making Axon compilable with JDK 17 is on the backlog currently.
Expect a pull request from our end as soon as we’ve set up the required specifics.

Steven_van_Beelen · November 22, 2021, 11:09am

I’ve also updated a more extensive message on GitHub, replying to you comment over there.
For those interested, I am talking about issue #1826 that requests JDK16 support for the framework.

carosegri · February 1, 2022, 9:49pm

I solved the ForbiddenClassException without having to revert back to previous versions. I am on spring boot 2.6.2, JDK 11 and Axon 4.5.7

I created class called AxonConfig. The problem with Xstream now that there is the new security update seems to be that you need to specify what will be allowed.

@Configuration
public class AxonConfig {
 
    @Bean
    public XStream xStream() {
        XStream xStream = new XStream();
      
        xStream.allowTypesByWildcard(new String[] {
                "com.appsdeveloperblog.**"
        });
        return xStream;
    }
}

Once I implemented the class above, I went to the @SpringBootApplication classes my microservice a and imported the AxonConfig.class.

@SpringBootApplication
@EnableDiscoveryClient
@Import({ AxonConfig.class })
public class ProductsServiceApplication {
 
   public static void main(String[] args) {
      SpringApplication.run(ProductsServiceApplication.class, args);
   }

Problem solved! works for me without having to revert back.

ken4ward · March 20, 2022, 4:16pm

@carosegri I thank you very much for sharing this answer. I ran into this today, and while exploring, I stumbled on your answer.

asimkilic · April 6, 2022, 12:26am

It worked for me. Thank you so much.

sokaina_Daabal · December 21, 2023, 6:07pm

@carosegri Thank you very much, after two hours of searching, no solution worked for me. Thank you very much for sharing this answer.