Use servicemix bundle of xstream at runtime

[kemitix]

The updated xstream includes dependencies on libraries that are not
OSGi bundles. This servicemix repackaging, includes these libraries
within the bundle.

Follows on from #1038

[duncangrant]

Looks good to me - thanks @kemitix

[ahgittin]

resulting assembly works fine - great fix @kemitix , merging

[jcabrerizo]

I get this message in the console:

Security framework of XStream not initialized, XStream is probably vulnerable.

It's not more vulnerable than before, but have this trace may be a problem

[kemitix]

This explains the sort of thing we would need to add to fix this: https://stackoverflow.com/a/45152845

Specifically:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

We would need to know which packages would need to be be added, and where to set this.

[jcabrerizo]

I did a fast test adding org.apache.brooklyn and it I couldn't run Brooklyn after that. Better leave this as is for the moment and make a detailed analysis later

[duncangrant]

@kemitix @jcabrerizo please track this as a bug on issues.apache.org - I'd add it but I seem to be unable to get past the captcha.

[jcabrerizo]

https://issues.apache.org/jira/secure/RapidBoard.jspa?rapidView=50&projectKey=BROOKLYN&view=detail&selectedIssue=BROOKLYN-609

[ahgittin]

Solution is probably to set * in a cfg file in the dist and to read this on management initialization. People can edit this subsequently.

To avoid the errors in test and non-osgi the code can say if there is no such cfg fie it sets * as a default with a log debug message.