XStream not initalized

I am using OH3 RC2 and am getting “Security framework of XStream not explicitly initialized, using predefined black list on your own risk.” in the log when starting OH. This appears to be new to RC2. Does this indicate a problem or is it something that can be ignored?

3.0.0 stable has been released. Upgrade & see if the issue persists.

It’s probably something that needs to be fixed in some add-on. The core and most add-ons were already fixed, see:

1 Like

The stable release seems to have fixed the problem. thanks

1 Like

I use the docker version of stable OH3 and the problem still exists unfortunately. I got the error after upgrade from OH3 RC1 to the stable OH3.

Maybe you can tell us which add-ons you are using if you are still seeing the issue?

Of course:

  • Astro
  • Buienradar
  • DSMR
  • HP Printer
  • Hue
  • iCalendar
  • iCloud
  • MQTT
  • OpenWeather
  • Sonos
  • Telegram
  • Unifi
  • Zwave

It’s probably the unsafe usage of XStream by the Z-Wave add-on:

Perhaps you can create an issue for it?

Tnx, I just create an issue

1 Like

I believe I have the same issue on the OH3 Release using Zwave.

I looked at the latest Zwave build and it seems the line identified by @wborn is still there. Also it seems like no activity on the github issue @ljsquare posted. I don’t have the knowledge to confirm this line is causing the problem, but my question is “what should it look like?” or “is it fixed?”

On a related note (maybe) I saw an issue that Xstream 1.4.13 in use by OH3 release had a potential security issue (can’t find it at this point, but whatever it was was fixed in 1.4.14). Also saw that the next release of OH3 was going to Xstream 1.4.15, so will that solve the problem?

Just trying to understand the situation.

Bob

No XStream upgrades do not solve this. It can only be solved by explicitly enabling the security framework as was done for the other addons:

Let me preface this by saying I have no coding skills. By examining your work it seems like one of the following two code additions could solve the problem (error message) for the Zwave binding if the highlighted item is the only problem. I’m leaning toward the second option. Am I way off base??

I have compiled custom Zwave .jars for other reasons, but would like to try the one with the highest probability.

Bob

Option 1

public class ZWaveNodeSerializer {
private static final Logger logger = LoggerFactory.getLogger(ZWaveNodeSerializer.class);
private final XStream stream = new XStream(new StaxDriver());
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] { ServicesResponse.class.getPackageName() + “.**” });

Option 2

public class ZWaveNodeSerializer {
private static final Logger logger = LoggerFactory.getLogger(ZWaveNodeSerializer.class);
private final XStream stream = new XStream(new StaxDriver());
private final configureSecurity(XStream xstream) {
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] { ServicesResponse.class.getPackageName() + “.**” });
}

Hello All I have just started getting this same problem with the zigbee binding. But the configuration and usb stick was working fine a few days ago, not sure what changed in the mean time.

I’ve created a few PRs that hopefully fix this!

CC: @chris

Thanks !
edit: Created a Zwave .jar with the code additions today. Warning messages gone on startup.

Thanks again

Bob

Wonderful, what is weird is that it was working without issues for a number of days before all of a siden deciding that it was/is a problem

And also worth noting is that this error went away after a clean install in a new docker container on a new install of Ubuntu. So it is not only down to the code in openhab

I just saw this message whilst debugging something else.

I remember installing the icloud binding around the time mentioned in the log. Is it possible to check whether the icloud binding is also causing it? I also use Astro and Zwave bindings from the mentioned list, but I haven’t seen this message before today and the only thing that has changed was the addition of the icloud binding.

Jan 29 23:22:29 openHABianDevice karaf[28403]: Native Library /var/lib/openhab/tmp/libNRJavaSerialv8_HF_openhab_0/libNRJavaSerialv8_HF.so already loaded in another classloader
Jan 29 23:22:29 openHABianDevice karaf[28403]: /var/lib/openhab/tmp/libNRJavaSerialv8_openhab_0/libNRJavaSerialv8.so: /var/lib/openhab/tmp/libNRJavaSerialv8_openhab_0/libNRJavaSerialv8.so: cannot
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.

EDIT: scratch that. I removed the iCloud binding, restarted and the xstream message has reappeared

For what it is worth, I just pulled the latest Docker image 2 days ago, and I am getting this message now. The only add-on I have installed so far is zigbee. I did have a couple false starts on setting it up, so it might not be a 100% clean install.
I just noticed it, but I after I was able to create a user and start adding things, I was too excited to check the logs right away.

my best guess is that somehow something outside of docker changes, or a setting gets triggered in the docker instance to do with the hardware interface. But I know very little about how it all works