Our catalina.out log is flooded with warnings about the "security framework of XStream". Does anyone know how to fix or remove the warning message?
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
@rporteric These errors are shown when XStream allowlist security system is not enabled in a product. This is enabled by calling the following code in the core:
XStream.setUpDefaultSecurity(xstream)
However, since it's a breaking change Confluence would be switching from blocklist to allowlist in a platform release. Till that time, it will be using blocklist mode.
Confluence allows admins to switch to allowlist mode by setting following JVM sysprop to true(but it has potential to break many plugins):
xstream.allowlist.enable
I expect similar thing in Jira.
Please note that XStream 1.5 is expected to default to this behaviour when released.
Thanks,
Ganesh
Hi rporteric,
welcome to the Atlassian Community!
This error message is well-known to me from a Bamboo installation but I have never encountered it on Jira.
I found a Suggestion regarding this error: https://jira.atlassian.com/browse/JRASERVER-71181
Unfortunately there is not much information about it. It could be helpful to "vote" for the issue using the link above. You can also watch the issue.
From what I observed the error does not stop the application from working correctly so far.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.