com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy is not part of XStream class whitelist

Description

Loading layer from Oracle Datastore hit a class it shoudln't and produces this output

11 Nov 11:14:46 ERROR [config.util] - Class com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy is not whitelisted for XML parsing.
This is done to prevent Remote Code Execution attacks, but it might be you need this class to be authorized for GeoServer to actually work If you are a user, you can set a variable named GEOSERVER_XSTREAM_WHITELIST
with a semicolon separated list of fully qualified names, or patterns
to match several classes.The variable can be set as a system variable
a enviromment variable, or a servlet context variable, just like
GEOSERVER_DATA_DIR.
For example, in order to authorize the org.geoserver.Foo class,
plus any class in the org.geoserver.custom package, one could set
a system variable:
-DGEOSERVER_XSTREAM_WHITELIST=org.geoserver.Foo;org.geoserver.custom.**
If instead you are a developer, you can call allowTypes/allowTypeHierarchy against
the XStream used for serialization by rolling a custom
XStreamPersisterInitializer or customizing your XStreamServiceLoader.
11 Nov 11:14:46 WARN [org.geoserver] - Failed to load layer for feature type 'ForriskAlturaMediaEtrs89'
com.thoughtworks.xstream.converters.ConversionException: Unauthorized class found, see logs for more details on how to handle it: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy : Unauthorized class found, see logs for more details on how to handle it: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy


Debugging information ----
message : Unauthorized class found, see logs for more details on how to handle it: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy
cause-exception : org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx
cause-message : Unauthorized class found, see logs for more details on how to handle it: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy
class : org.geoserver.catalog.impl.LayerInfoImpl
required-type : org.geoserver.catalog.impl.LayerInfoImpl
converter-type : org.geoserver.config.util.XStreamPersister$LayerInfoConverter
line number : 5
version : 2.8.0
-------------------------------
at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:79)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1185)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1169)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1049)
at org.geoserver.config.util.XStreamPersister.load(XStreamPersister.java:592)
at org.geoserver.config.GeoServerLoader.depersist(GeoServerLoader.java:755)
at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:390)
at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:226)
at org.geoserver.config.DefaultGeoServerLoader.loadCatalog(DefaultGeoServerLoader.java:36)
at org.geoserver.config.GeoServerLoader.postProcessBeforeInitialization(GeoServerLoader.java:112)
at org.geoserver.config.GeoServerLoaderProxy.postProcessBeforeInitialization(GeoServerLoaderProxy.java:59)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:394)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1448)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:107)
at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:630)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:284)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:107)
at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:630)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:107)
at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:630)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:107)
at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:630)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:607)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:925)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:472)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:388)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:293)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
at org.geoserver.platform.GeoServerContextLoaderListener.contextInitialized(GeoServerContextLoaderListener.java:23)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5003)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5517)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1095)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1930)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source) Caused by: org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx: Unauthorized class found, see logs for more details on how to handle it: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy
at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:173)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:401)
at org.geoserver.config.util.XStreamPersister$LayerInfoConverter.doUnmarshal(XStreamPersister.java:1843)
at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:257)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
... 92 more
Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxy
at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:150)
... 98 more
11 Nov 11:14:46 INFO [org.geoserver] - Loaded feature type 'ForriskAlturaPrimeraRamaEtrs89', enabled
11 Nov 11:14:46 INFO [org.geoserver] - Loaded feature type 'oracle_produccion_forestal'
11 Nov 11:14:46 INFO [org.geoserver] - Loaded layer 'ForriskAlturaPrimeraRamaEtrs89'
11 Nov 11:14:46 INFO [org.geoserver] - Loaded feature type 'ForriskAreaBasimetricaEtrs89', enabled

Layer XML files don't show anything weird:

Layer.xml

<layer>
<name>ForriskAlturaMediaEtrs89</name>
<id>LayerInfoImpl-3f30cbbb:14d7ae3d4ba:-6323</id>
<type>VECTOR</type>
<defaultStyle>
<id>StyleInfoImpl-4e0b98bf:12475d46fdd:-7fe0</id>
</defaultStyle>
<styles class="linked-hash-set">
<style>
<id>StyleInfoImpl-38e82ce1:14cd58a4153:-75bf</id>
</style>
</styles>
<resource class="featureType">
<id>FeatureTypeInfoImpl-3f30cbbb:14d7ae3d4ba:-6324</id>
</resource>
<attribution>
<logoWidth>0</logoWidth>
<logoHeight>0</logoHeight>
</attribution>
</layer>

Featuretype.xml

<featureType>
<id>FeatureTypeInfoImpl-3f30cbbb:14d7ae3d4ba:-6324</id>
<name>ForriskAlturaMediaEtrs89</name>
<nativeName>TB_RIESGO_INC_VIENTO_ET89</nativeName>
<namespace>
<id>NamespaceInfoImpl-2828037a:14d74b05c20:-775b</id>
</namespace>
<title>Forrisk - Altura Media (m)</title>
<abstract>TB_RIESGO_INC_VIENTO_ET89</abstract>
<nativeCRS class="projected">PROJCS[&quot;UTM Zone 30, (ETRS 89)&quot;, &#xd;
GEOGCS[&quot;ETRS 89&quot;, &#xd;
DATUM[&quot;ETRS 89&quot;, &#xd;
SPHEROID[&quot;GRS 80&quot;, 6378137.0, 298.257222100883]], &#xd;
PRIMEM[&quot;Greenwich&quot;, 0.0], &#xd;
UNIT[&quot;degree&quot;, 0.017453292519943295], &#xd;
AXIS[&quot;Longitude&quot;, EAST], &#xd;
AXIS[&quot;Latitude&quot;, NORTH]], &#xd;
PROJECTION[&quot;Transverse_Mercator&quot;], &#xd;
PARAMETER[&quot;central_meridian&quot;, -3.0], &#xd;
PARAMETER[&quot;latitude_of_origin&quot;, 0.0], &#xd;
PARAMETER[&quot;scale_factor&quot;, 0.9996], &#xd;
PARAMETER[&quot;false_easting&quot;, 500000.0], &#xd;
PARAMETER[&quot;false_northing&quot;, 0.0], &#xd;
UNIT[&quot;m&quot;, 1.0], &#xd;
AXIS[&quot;x&quot;, EAST], &#xd;
AXIS[&quot;y&quot;, NORTH]]</nativeCRS>
<srs>EPSG:25830</srs>
<nativeBoundingBox>
<minx>463435.23</minx>
<maxx>603054.68</maxx>
<miny>4702205.332</miny>
<maxy>4811327.358</maxy>
</nativeBoundingBox>
<latLonBoundingBox>
<minx>-3.452</minx>
<maxx>-1.726</maxx>
<miny>42.465</miny>
<maxy>43.455</maxy>
<crs>EPSG:4326</crs>
</latLonBoundingBox>
<projectionPolicy>FORCE_DECLARED</projectionPolicy>
<enabled>true</enabled>
<metadata>
<entry key="cachingEnabled">false</entry>
</metadata>
<store class="dataStore">
<id>DataStoreInfoImpl-2828037a:14d74b05c20:-775a</id>
</store>
<maxFeatures>0</maxFeatures>
<numDecimals>0</numDecimals>
<overridingServiceSRS>false</overridingServiceSRS>
<skipNumberMatched>false</skipNumberMatched>
<circularArcPresent>false</circularArcPresent>
</featureType>

Environment

Windows Server 2012 R2

Status

Assignee

Unassigned

Reporter

David Alda

Triage

None

Fix versions

Affects versions

2.8.0

Components

Priority

Medium
Configure