When it comes to security issues, I would not take it easily. Firstly, you can understand the severity of the problem, here is a good entry .
Then find out how people recommend the solution. A good place to start is the xstream site itself. Here is an example that you can use as a starting point on an xstream page.
This will be my setup, which basically allows most of your code.
XStream xstream = new XStream(); // clear out existing permissions and set own ones xstream.addPermission(NoTypePermission.NONE); // allow some basics xstream.addPermission(NullPermission.NULL); xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.allowTypeHierarchy(Collection.class); // allow any type from the same package xstream.allowTypesByWildcard(new String[] { "com.your.package.**" });
However, after diving into the source code, this is my trick:
XStream.setupDefaultSecurity(this); // to be removed after 1.5 xstream.allowTypesByWildcard(new String[] { "com.your.package.**" });
So essentially you only need one line after upgrading to 1.5.
Please note that you may need more wild cards to suit your deserialization scenarios. This is not an answer to one size, but a good IMHO starting point.
coolersport
source share