Getting ForbiddenClassException in Axon/SpringBoot

Question

I am trying to implement axon framework with spring boot.

Here is the version of jars.

1. Spring Boot 2.6.1
2. Java 17
3. Axon 4.5.6

My Project Structure is:

• user-command
• user-query
• user-core (common jar contains events)

I am getting the below exception while try to access the UserRegisteredEvent* from query application.

com.thoughtworks.xstream.security.ForbiddenClassException: com.tesla.user.core.events.UserRegisteredEvent
    at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26) ~[xstream-1.4.18.jar:1.4.18]

Where I am going wrong?

Note:

I have tried downgrading my java version to 16 and spring boot to 2.4.* also .

Answer 1

I solved the issue by configuring my app to use JacksonSerializer
Here is my environment spec:

• JDK 17
• Spring boot 2.7.6
• Axon 4.5.8

Solution: Add this to your Application.properties

# Axon serializer config
axon.serializer.general=jackson
axon.serializer.events=jackson
axon.serializer.messages=jackson

Answer 2

I found the solution by adding XStream bean.

@Bean
public XStream xStream() {
    XStream xStream = new XStream();

    xStream.allowTypesByWildcard(new String[] { "com.example.**" });
    return xStream;
}

Detail in this post.

Hope this help

Answer 3

Where I am going wrong?

Your problem lies with XStream, as you can see from the exception.

XStream has seen some CVE's flying about a couple of months back, which required its de-/serialization approach to turn 180 degrees.

Instead of taking an entire reflective approach to understanding how to de-/serialize an object, XStream now requires you to tell which classes it may serialize.

Axon regarded the XStreamSerializer as a decent default for any application because it was capable of de-/serializing everything. However, the above made this infeasible and required some changes on the end of the serializer.

Those changes have been released in Framework 4.5.4, for which you can find the release notes here.

What you can spot in the notes is that the framework tries to provide an XStream instance with some of the types secured for you. It does so by finding the package name of the @EnableAutoConfiguration annotated class. Note that @SpringBootApplication is meta-annotated with @EnableAutoConfiguration.

Axon's auto-config will allow all types under that package but that's it. The framework also gives you a warning, stating the following on INFO level:

Initializing an XStream instance since none was found. 
The auto configuration base packages will be used as wildcards for the XStream security settings.

With all that said, I have two recommendations for you:

1. If you want to stick with XStream as the serializer, I recommend configuring an XStream instance manually. This gives you complete control over which classes can or cannot be serialized, solving the exception mentioned earlier.
2. If you're not religious about the serializer you're using, you can try out the JacksonSerializer that Axon Framework provides. This will require you to make all the objects de-/serializable through an ObjectMapper. Thus introducing additional dependencies and/or annotations.

To read how you can configure a serializer in Axon, I refer to this page of their Reference Guide.