XStream not initalized

ArkansasAtomaton · December 22, 2020, 5:54pm

I am using OH3 RC2 and am getting “Security framework of XStream not explicitly initialized, using predefined black list on your own risk.” in the log when starting OH. This appears to be new to RC2. Does this indicate a problem or is it something that can be ignored?

Bruce_Osborne · December 22, 2020, 6:09pm

3.0.0 stable has been released. Upgrade & see if the issue persists.

wborn · December 22, 2020, 6:25pm

It’s probably something that needs to be fixed in some add-on. The core and most add-ons were already fixed, see:

ArkansasAtomaton · December 22, 2020, 11:12pm

The stable release seems to have fixed the problem. thanks

ljsquare · December 23, 2020, 8:28am

I use the docker version of stable OH3 and the problem still exists unfortunately. I got the error after upgrade from OH3 RC1 to the stable OH3.

wborn · December 23, 2020, 12:56pm

Maybe you can tell us which add-ons you are using if you are still seeing the issue?

ljsquare · December 23, 2020, 2:48pm

Of course:

Astro
Buienradar
DSMR
HP Printer
Hue
iCalendar
iCloud
MQTT
OpenWeather
Sonos
Telegram
Unifi
Zwave

wborn · December 23, 2020, 3:11pm

It’s probably the unsafe usage of XStream by the Z-Wave add-on:

github.com

openhab/org.openhab.binding.zwave/blob/1bf81ffd0f70cfd293b6f40140db50591a962ade/src/main/java/org/openhab/binding/zwave/internal/protocol/initialization/ZWaveNodeSerializer.java#L46


      
          import com.thoughtworks.xstream.io.xml.StaxDriver;
          
          /**
           * ZWaveNodeSerializer class. Serializes nodes to XML and back again.
           *
           * @author Chris Jackson
           * @author Jan-Willem Spuij
           */
          public class ZWaveNodeSerializer {
              private static final Logger logger = LoggerFactory.getLogger(ZWaveNodeSerializer.class);
              private final XStream stream = new XStream(new StaxDriver());
              private final String folderName;
          
              /**
               * Constructor. Creates a new instance of the {@link ZWaveNodeSerializer} class.
               */
              public ZWaveNodeSerializer() {
                  logger.trace("Initializing ZWaveNodeSerializer.");
          
                  folderName = OpenHAB.getUserDataFolder() + "/" + ZWaveBindingConstants.BINDING_ID;

Perhaps you can create an issue for it?

ljsquare · December 24, 2020, 12:18pm

Tnx, I just create an issue

apella12 · January 5, 2021, 1:11am

I believe I have the same issue on the OH3 Release using Zwave.

I looked at the latest Zwave build and it seems the line identified by @wborn is still there. Also it seems like no activity on the github issue @ljsquare posted. I don’t have the knowledge to confirm this line is causing the problem, but my question is “what should it look like?” or “is it fixed?”

On a related note (maybe) I saw an issue that Xstream 1.4.13 in use by OH3 release had a potential security issue (can’t find it at this point, but whatever it was was fixed in 1.4.14). Also saw that the next release of OH3 was going to Xstream 1.4.15, so will that solve the problem?

Just trying to understand the situation.

Bob

wborn · January 5, 2021, 12:26pm

No XStream upgrades do not solve this. It can only be solved by explicitly enabling the security framework as was done for the other addons:

apella12 · January 7, 2021, 12:56am

Let me preface this by saying I have no coding skills. By examining your work it seems like one of the following two code additions could solve the problem (error message) for the Zwave binding if the highlighted item is the only problem. I’m leaning toward the second option. Am I way off base??

I have compiled custom Zwave .jars for other reasons, but would like to try the one with the highest probability.

Bob

Option 1

public class ZWaveNodeSerializer {
private static final Logger logger = LoggerFactory.getLogger(ZWaveNodeSerializer.class);
private final XStream stream = new XStream(new StaxDriver());
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String { ServicesResponse.class.getPackageName() + “.**” });

Option 2

public class ZWaveNodeSerializer {
private static final Logger logger = LoggerFactory.getLogger(ZWaveNodeSerializer.class);
private final XStream stream = new XStream(new StaxDriver());
private final configureSecurity(XStream xstream) {
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String { ServicesResponse.class.getPackageName() + “.**” });
}

joriskofman · January 7, 2021, 8:15am

Hello All I have just started getting this same problem with the zigbee binding. But the configuration and usb stick was working fine a few days ago, not sure what changed in the mean time.

wborn · January 7, 2021, 2:53pm

I’ve created a few PRs that hopefully fix this!

CC: @chris

apella12 · January 7, 2021, 3:16pm

Thanks !
edit: Created a Zwave .jar with the code additions today. Warning messages gone on startup.

Thanks again

Bob

joriskofman · January 7, 2021, 6:14pm

Wonderful, what is weird is that it was working without issues for a number of days before all of a siden deciding that it was/is a problem

joriskofman · January 11, 2021, 6:04pm

And also worth noting is that this error went away after a clean install in a new docker container on a new install of Ubuntu. So it is not only down to the code in openhab

Lukie · January 30, 2021, 12:26pm

I just saw this message whilst debugging something else.

I remember installing the icloud binding around the time mentioned in the log. Is it possible to check whether the icloud binding is also causing it? I also use Astro and Zwave bindings from the mentioned list, but I haven’t seen this message before today and the only thing that has changed was the addition of the icloud binding.

Jan 29 23:22:29 openHABianDevice karaf[28403]: Native Library /var/lib/openhab/tmp/libNRJavaSerialv8_HF_openhab_0/libNRJavaSerialv8_HF.so already loaded in another classloader
Jan 29 23:22:29 openHABianDevice karaf[28403]: /var/lib/openhab/tmp/libNRJavaSerialv8_openhab_0/libNRJavaSerialv8.so: /var/lib/openhab/tmp/libNRJavaSerialv8_openhab_0/libNRJavaSerialv8.so: cannot
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Jan 29 23:22:38 openHABianDevice karaf[28403]: Security framework of XStream not explicitly initialized, using predefined black list on your own risk.

EDIT: scratch that. I removed the iCloud binding, restarted and the xstream message has reappeared

TedCorrell · January 31, 2021, 5:44am

For what it is worth, I just pulled the latest Docker image 2 days ago, and I am getting this message now. The only add-on I have installed so far is zigbee. I did have a couple false starts on setting it up, so it might not be a 100% clean install.
I just noticed it, but I after I was able to create a user and start adding things, I was too excited to check the logs right away.

joriskofman · January 31, 2021, 8:41am

my best guess is that somehow something outside of docker changes, or a setting gets triggered in the docker instance to do with the hardware interface. But I know very little about how it all works