Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to fix warning "Security framework of XStream" in catalina.out log?

rporteric
rporteric
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 9, 2020

Our catalina.out log is flooded with warnings about the "security framework of XStream".  Does anyone know how to fix or remove the warning message?

Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.

Answer
Watch
Like # people like this
7782 views

2 answers

1 accepted

0 votes
Answer accepted
Ganesh Gautam
Ganesh Gautam
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2021

@rporteric These errors are shown when XStream allowlist security system is not enabled in a product. This is enabled by calling the following code in the core:

XStream.setUpDefaultSecurity(xstream)

However, since it's a breaking change Confluence would be switching from blocklist to allowlist in a platform release. Till that time, it will be using blocklist mode.

Confluence allows admins to switch to allowlist mode by setting following JVM sysprop to true(but it has potential to break many plugins):

xstream.allowlist.enable

I expect similar thing in Jira.
Please note that XStream 1.5 is expected to default to this behaviour when released.

Thanks,

Ganesh

Reply
0 votes
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 23, 2020

Hi rporteric,

welcome to the Atlassian Community!

This error message is well-known to me from a Bamboo installation but I have never encountered it on Jira.

I found a Suggestion regarding this error: https://jira.atlassian.com/browse/JRASERVER-71181
Unfortunately there is not much information about it. It could be helpful to "vote" for the issue using the link above. You can also watch the issue.

From what I observed the error does not stop the application from working correctly so far.

Cheers,
Daniel

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.5.3
TAGS
AUG Leaders

Atlassian Community Events

    See all events