ForbiddenClassException appears during handling Axon event?

Question

I have sandbox application microservices based on SpringBoot, SpringData JPA, Axon. I created 2 simple microservices: orders service and products service and trying to explore Axon Sagas. During Saga transaction I execute order create command, when it happens Saga emits product reserve event. This event is handled in product service and it fails with:

Exception in thread "CommandProcessor-0" com.thoughtworks.xstream.security.ForbiddenClassException: com.udemy.shared.command.ReserveProductCommand

How it can be fixed?

controller code in orders microservice:

@PostMapping
    public String createOrder(@Valid @RequestBody OrderDTO order) {
        CreateOrderCommand createOrderCommand = CreateOrderCommand.builder()
                .orderId(UUID.randomUUID().toString())
                .userId("27b95829-4f3f-4ddf-8983-151ba010e35b")
                .productId(order.getProductId())
                .quantity(order.getQuantity())
                .addressId(order.getAddressId())
                .orderStatus(OrderStatus.CREATED)
                .build();
        return commandGateway.sendAndWait(createOrderCommand);
    }

commands code:

@Builder
@Data
public class CreateOrderCommand {
    @AggregateIdentifier
    private final String orderId;
    private final String userId;
    private final String productId;
    private final int quantity;
    private String addressId;
    private final OrderStatus orderStatus;
}

@Data
@Builder
public class ReserveProductCommand {
    @AggregateIdentifier
    private String productId;
    private String orderId;
    private String userId;
    private int quantity;
}

saga code:

@Slf4j
@Saga
public class OrdersSaga {
    @Autowired
    private transient CommandGateway commandGateway;

    @StartSaga
    @SagaEventHandler(associationProperty = "orderId")
    public void handle(OrderCreatedEvent event) {
        ReserveProductCommand reserveProductCommand = ReserveProductCommand.builder()
                .orderId(event.getOrderId())
                .productId(event.getProductId())
                .userId(event.getUserId())
                .quantity(event.getQuantity())
                .build();
        commandGateway.send(reserveProductCommand, (commandMessage, commandResultMessage) -> {
            if (commandResultMessage.isExceptional()) {
                log.error("Something went wrong during product reserve: " + commandResultMessage.exceptionResult().getMessage() );
            }
        });
        log.info("Created order command fired! Order id = " + event.getOrderId());
    }

    @SagaEventHandler(associationProperty = "orderId")
    public void handle(ProductReservedEvent event) {
        log.info("Handling product reserve event for product with id = " + event.getProductId());

    }
}

handler where occurs error(products microservice):

@Slf4j
@Component
public class ProductEventHandler {
    ProductsRepository repository;

    @EventHandler
    public void on(ProductReservedEvent event) {
        ProductEntity updatedProduct = repository.findByProductId(event.getProductId());
        updatedProduct.setQuantity(event.getQuantity());
        log.info("Product reserved event was applied in event handler for product with id - " + event.getProductId());
        repository.save(updatedProduct);
    }
}

After googling I found out, that different Spring Boot version can have different xstream version and more relevant xstream produces this exception. I downgraded Spring Boot version in these services to 2.7.8, but this didnt help

my project's JDK and structure can be seen on screens

Answer 1

I guess that you're on JDK17 or above, Sam. As it stands, XStream does not play nicely with newer JDK versions, as it relies very heavily on reflection. As that's being shut off, exceptions may occur.

Sadly enough, Axon Framework defaults to use the so-called XStreamSerializer. Changing this to something else would incur breaking changes for all Framework users. Hence, the default stuck.

To work around this in Spring Boot environments, the Framework wires a custom XStream instance for you, adding to XStream's security context the package name of your @SpringBootApplication annotated class. Axon does log a WARN message about this, though, as it is strongly advised to define the XStream security context yourself based on the objects you will be de-/serializing.

Regardless, by taking this route, 9 out of 10 scenarios are covered for de-/serialization. However, I assume that your ReserveProductCommand resides in a different package.

Well, even if it isn't, you're thus recommended to define XStream's security context yourself. Or, you can switch Axon Framework's Serializer from XML to JSON by defining the JacksonSerializer. Especially for your messages (Commands, Events, and Queries) it is advisable to use JSON's smaller format. This saves network traffic and storage.

As you may note, I am making some assumptions about your JDK version and package structuring. If my suggested solutions do not solve the predicament, be sure to leave a comment.