TRUNK-6218: Defer setup of xstream security until needed

Author: mseaton

api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java

@@ -9,22 +9,6 @@
  */
 package org.openmrs.module.reporting.serializer;
 
-import java.io.OutputStream;
-import java.io.OutputStreamWriter;
-import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Method;
-
-import org.openmrs.api.APIException;
-import org.openmrs.api.context.Context;
-import org.openmrs.module.VersionComparator;
-import org.openmrs.module.serialization.xstream.XStreamShortSerializer;
-import org.openmrs.module.serialization.xstream.mapper.CGLibMapper;
-import org.openmrs.module.serialization.xstream.mapper.HibernateCollectionMapper;
-import org.openmrs.module.serialization.xstream.mapper.JavassistMapper;
-import org.openmrs.module.serialization.xstream.mapper.NullValueMapper;
-import org.openmrs.serialization.SerializationException;
-import org.openmrs.serialization.SimpleXStreamSerializer;
-
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.converters.ConverterLookup;
 import com.thoughtworks.xstream.converters.DataHolder;
@@ -33,12 +17,29 @@
 import com.thoughtworks.xstream.io.xml.DomDriver;
 import com.thoughtworks.xstream.mapper.Mapper;
 import com.thoughtworks.xstream.mapper.MapperWrapper;
-import org.openmrs.util.OpenmrsConstants;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.openmrs.api.context.Context;
+import org.openmrs.module.serialization.xstream.XStreamShortSerializer;
+import org.openmrs.module.serialization.xstream.mapper.CGLibMapper;
+import org.openmrs.module.serialization.xstream.mapper.HibernateCollectionMapper;
+import org.openmrs.module.serialization.xstream.mapper.JavassistMapper;
+import org.openmrs.module.serialization.xstream.mapper.NullValueMapper;
+import org.openmrs.serialization.SerializationException;
+import org.openmrs.serialization.SimpleXStreamSerializer;
 
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Method;
 
 public class ReportingSerializer extends XStreamShortSerializer {
 
 	private static ThreadLocal<DataHolder> cache = new ThreadLocal<DataHolder>();
+
+	private final Log log = LogFactory.getLog(this.getClass());
+
+	private boolean xstreamSecuritySetup = false;
 
 	/**
 	 * @throws SerializationException
@@ -87,15 +88,14 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
 	    xstream.registerConverter(new IndicatorConverter(mapper, converterLookup));
 
 		xstream.registerConverter(new ReportDefinitionConverter(mapper, converterLookup));
-
-		// Only setup XStreamSecurity only on versions that are after 2.7.0
-		if (new VersionComparator().compare(OpenmrsConstants.OPENMRS_VERSION, "2.7.0") >= 0) {
-			setupXStreamSecurity(xstream);
-		}
 	}
 
 	@Override
 	synchronized public <T> T deserialize(String serializedObject, Class<? extends T> clazz) throws SerializationException {
+		if (!xstreamSecuritySetup) {
+			setupXStreamSecurity();
+			xstreamSecuritySetup = true;
+		}
 		boolean cacheOwner = cache.get() == null;
 		if (cacheOwner) {
 			cache.set(new MapBackedDataHolder());
@@ -123,21 +123,31 @@ public void serializeToStream(Object object, OutputStream out) {
         }
     }
 
-	private void setupXStreamSecurity(XStream xstream) throws SerializationException {
+	/**
+	 * Sets up xstream security on the Reporting Serializer to match the OpenMRS core security configuration
+	 */
+	public void setupXStreamSecurity() throws SerializationException {
+		log.debug("Setting up xstream security on ReportingSerializer");
+		SimpleXStreamSerializer serializer = null;
 		try {
-			SimpleXStreamSerializer serializer = Context.getRegisteredComponent("simpleXStreamSerializer", SimpleXStreamSerializer.class);
-			if (serializer != null) {
-				try {
-					Method method = serializer.getClass().getMethod("initXStream", XStream.class);
-					method.invoke(serializer, xstream);
-				}
-				catch (Exception ex) {
-					throw new SerializationException("Failed to set up XStream Security", ex);
-				}
-			}
+			serializer = Context.getRegisteredComponent("simpleXStreamSerializer", SimpleXStreamSerializer.class);
+		}
+		catch (Exception ignored) {
+		}
+		if (serializer == null) {
+			log.debug("Not setting up XStream security as no simpleXStreamSerializer component is found");
+			return;
+		}
+		try {
+			Method method = serializer.getClass().getMethod("initXStream", XStream.class);
+			method.invoke(serializer, xstream);
+			log.info("XStream security initialized on ReportingSerializer");
+		}
+		catch (NoSuchMethodException ignored) {
+			log.debug("Not setting up XStream Security as no initXStream method found on SimpleXStreamSerializer");
 		}
-		catch (APIException ex) {
-			//Ignore APIException("Error during getting registered component) for platform versions below 2.7.0
+		catch (Exception e) {
+			throw new SerializationException("Failed to set up XStream Security on Reporting Serializer", e);
 		}
 	}
 }

omod/src/main/resources/config.xml

@@ -155,8 +155,8 @@
 	</globalProperty>
     <globalProperty>
         <property>reporting.serializer.whitelist.types</property>
-        <defaultValue>org.openmrs.module.reporting.evaluation.parameter.Parameter,org.openmrs.module.reporting.data.converter.PropertyConverter,org.openmrs.module.reporting.data.converter.ObjectFormatter,org.openmrs.module.reporting.data.converter.DateConverter,org.openmrs.module.reporting.data.converter.ChainedConverter,org.openmrs.module.reporting.common.SortCriteria$SortElement,org.openmrs.module.reporting.evaluation.parameter.Mapped</defaultValue>
-        <description></description>
+        <defaultValue>org.openmrs.module.reporting.**</defaultValue>
+        <description>White-list of classes that are allowed for deserialization by the reporting module</description>
     </globalProperty>
 
 	<!--  Message Properties -->