Spring

 How to remove the xstream dependency from spring-cloud-starter-netflix-eureka-server ?

Abdul Azeem Shaik's profile image
Abdul Azeem Shaik posted Jul 09, 2020 07:05 PM

I am trying to remove the xstream dependency from spring-cloud-starter-netflix-eureka-server by mentioning it in exclusions tags. But with this change, my Eurkea client and Server does not starts.

 

I see xstream jar is Restricted in our organization for use. Can you please suggest any alternate jars i can use instaed of xstream . I am using Spring boot and 2.1.1.RELEASE version for spring-cloud-netflix

 

<dependency>

           <groupId>org.springframework.cloud</groupId>

           <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>

           <exclusions>

           <exclusion>

                  <groupId>com.thoughtworks.xstream</groupId>

                  <artifactId>xstream</artifactId>

           </exclusion>

           </exclusions>

</dependency>

 

Daniel Mikusa's profile image
Daniel Mikusa posted Jul 09, 2020 12:33 PM

Can you run `mvn dependency:tree` and include the output (remove the exclusion first)? Also, what error are you seeing exactly? Can you include a log snippet including stack trace? Thanks

Daniel Mikusa's profile image
Daniel Mikusa posted Jul 09, 2020 04:56 PM

Ok, so the spring-cloud-starter-netflix-eureka-server isn't pulling in xstream. See it's transitive deps here:

[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-server:jar:2.1.1.RELEASE:compile [INFO] | \- org.springframework.cloud:spring-cloud-netflix-eureka-server:jar:2.1.1.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-freemarker:jar:2.1.6.RELEASE:compile [INFO] | | +- org.freemarker:freemarker:jar:2.3.28:compile [INFO] | | \- org.springframework:spring-context-support:jar:5.1.8.RELEASE:compile [INFO] | +- com.sun.jersey:jersey-servlet:jar:1.19.1:compile [INFO] | +- com.sun.jersey:jersey-server:jar:1.19.1:compile [INFO] | +- javax.inject:javax.inject:jar:1:compile [INFO] | \- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.9.9:compile [INFO] | +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile [INFO] | \- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile

It seems to be a transitive dependency of spring-cloud-starter-netflix-eureka-client.

[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:2.1.1.RELEASE:compile [INFO] | +- org.springframework.cloud:spring-cloud-netflix-hystrix:jar:2.1.1.RELEASE:compile [INFO] | | \- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile [INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.4:compile [INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:2.1.1.RELEASE:compile [INFO] | +- com.netflix.eureka:eureka-client:jar:1.9.8:compile [INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime [INFO] | | | \- stax:stax-api:jar:1.0.1:runtime [INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime [INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime [INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime [INFO] | | | | +- joda-time:joda-time:jar:2.10.2:runtime [INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime [INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime [INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime [INFO] | | | | \- com.google.code.gson:gson:jar:2.8.5:runtime [INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime [INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.6:compile [INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:compile [INFO] | | +- com.netflix.servo:servo-core:jar:0.12.21:runtime [INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:compile [INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime [INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime [INFO] | | +- org.apache.httpcomponents:httpclient:jar:4.5.9:compile [INFO] | | | \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] | | +- com.google.inject:guice:jar:4.1.0:runtime [INFO] | | | \- aopalliance:aopalliance:jar:1.0:runtime [INFO] | | \- com.github.vlsi.compactmap:compactmap:jar:1.2.1:runtime [INFO] | | \- com.github.andrewoma.dexx:dexx-collections:jar:0.2:runtime [INFO] | +- com.netflix.eureka:eureka-core:jar:1.9.8:compile [INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime [INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime [INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile [INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:2.1.1.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-netflix-ribbon:jar:2.1.1.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-netflix-archaius:jar:2.1.1.RELEASE:compile [INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile [INFO] | | \- commons-lang:commons-lang:jar:2.6:compile [INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:2.1.1.RELEASE:compile [INFO] | | +- com.netflix.ribbon:ribbon:jar:2.3.0:compile [INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.3.0:runtime [INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime [INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime [INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime [INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.3.0:compile [INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.3.0:compile [INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.3.0:compile [INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime [INFO] | | \- io.reactivex:rxjava:jar:1.3.8:compile [INFO] | +- com.netflix.ribbon:ribbon-eureka:jar:2.3.0:compile [INFO] | \- com.thoughtworks.xstream:xstream:jar:1.4.10:compile [INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile [INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile

See at the very bottom. Try adding your exclusion to that dependency and repeat `mvn dependency:tree` to confirm that xstream is no longer pulled in.

Daniel Mikusa's profile image
Daniel Mikusa posted Jul 09, 2020 05:03 PM

That said, your log looks like you're not going to be able to remove the dependency. It's clearly being used.

Caused by: java.lang.NoClassDefFoundError: com/netflix/discovery/converters/XmlXStream at com.netflix.discovery.converters.wrappers.CodecWrappers$XStreamXml.<init>(CodecWrappers.java:358) ~[eureka-client-1.9.8.jar!/:1.9.8] at com.netflix.discovery.converters.wrappers.CodecWrappers.create(CodecWrappers.java:133) ~[eureka-client-1.9.8.jar!/:1.9.8] at com.netflix.discovery.converters.wrappers.CodecWrappers.getCodec(CodecWrappers.java:56) ~[eureka-client-1.9.8.jar!/:1.9.8] at com.netflix.discovery.converters.wrappers.CodecWrappers.getCodec(CodecWrappers.java:47) ~[eureka-client-1.9.8.jar!/:1.9.8] at org.springframework.cloud.netflix.eureka.server.EurekaServerAutoConfiguration.getFullXml(EurekaServerAutoConfiguration.java:138) ~[spring-cloud-netflix-eureka-server-2.1.1.RELEASE.jar!/:2.1.1.RELEASE]

It maybe that you can change your Eureka server configuration and disable the code that's requiring that dependency. I do not know off hand, and it would likely depend on how you're seeing up your Eureka server. Are you using Spring Cloud Services? Or are you creating the server manually from the OSS project? If it's the latter, could you submit a demo project or something to reproduce the issue you're seeing? I could take a look at it and see if it's possible to work around needing xstream.

Abdul Azeem Shaik's profile image
Abdul Azeem Shaik posted Jul 09, 2020 08:28 PM

Hello Daniel,

 

Thanks for the response. PFA the mvn dependency tree and full log files in attached zip.

Attachment  View in library
logs.zip 7 KB
Abdul Azeem Shaik's profile image
Abdul Azeem Shaik posted Jul 10, 2020 12:24 AM

Thanks for your inputs. I will have my developers try the configurations you suggested and will get back to y ou.