diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java index a992ab814188..ccb10d27c172 100644 --- a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +++ b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -63,6 +63,8 @@ import com.thoughtworks.xstream.mapper.CannotResolveClassException; import com.thoughtworks.xstream.mapper.Mapper; import com.thoughtworks.xstream.mapper.MapperWrapper; +import com.thoughtworks.xstream.security.ForbiddenClassException; +import com.thoughtworks.xstream.security.TypePermission; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -106,7 +108,7 @@ * Therefore, it has limited namespace support. As such, it is rather unsuitable for * usage within Web Services. * - *
This marshaller requires XStream 1.4.5 or higher, as of Spring 4.3. + *
This marshaller requires XStream 1.4.7 or higher, as of Spring 5.2.17. * Note that {@link XStream} construction has been reworked in 4.0, with the * stream driver and the class loader getting passed into XStream itself now. * @@ -146,6 +148,9 @@ public class XStreamMarshaller extends AbstractMarshaller implements BeanClassLo @Nullable private ConverterMatcher[] converters; + @Nullable + private TypePermission[] typePermissions; + @Nullable private MarshallingStrategy marshallingStrategy; @@ -268,6 +273,20 @@ public void setConverters(ConverterMatcher... converters) { this.converters = converters; } + /** + * Set XStream type permissions such as + * {@link com.thoughtworks.xstream.security.AnyTypePermission}, + * {@link com.thoughtworks.xstream.security.ExplicitTypePermission} etc, + * as an alternative to overriding the {@link #customizeXStream} method. + *
Note: As of XStream 1.4.18, the default type permissions are
+ * restricted to well-known core JDK types. For any custom types,
+ * explicit type permissions need to be registered.
+ * @since 5.2.17
+ */
+ public void setTypePermissions(TypePermission... typePermissions) {
+ this.typePermissions = typePermissions;
+ }
+
/**
* Set a custom XStream {@link MarshallingStrategy} to use.
* @since 4.0
@@ -407,7 +426,7 @@ public void setBeanClassLoader(ClassLoader classLoader) {
@Override
public void afterPropertiesSet() {
- // no-op due to use of SingletonSupplier for the XStream field.
+ // no-op due to use of SingletonSupplier for the XStream field
}
/**
@@ -479,6 +498,12 @@ else if (this.converters[i] instanceof SingleValueConverter) {
}
}
+ if (this.typePermissions != null) {
+ for (TypePermission permission : this.typePermissions) {
+ xstream.addPermission(permission);
+ }
+ }
+
if (this.marshallingStrategy != null) {
xstream.setMarshallingStrategy(this.marshallingStrategy);
}
@@ -844,7 +869,7 @@ private Object doUnmarshal(HierarchicalStreamReader streamReader, @Nullable Data
*/
protected XmlMappingException convertXStreamException(Exception ex, boolean marshalling) {
if (ex instanceof StreamException || ex instanceof CannotResolveClassException ||
- ex instanceof ConversionException) {
+ ex instanceof ForbiddenClassException || ex instanceof ConversionException) {
if (marshalling) {
return new MarshallingFailureException("XStream marshalling exception", ex);
}
diff --git a/spring-oxm/src/test/java/org/springframework/oxm/xstream/XStreamMarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/xstream/XStreamMarshallerTests.java
index 5f05936d751a..304d3fcc771b 100644
--- a/spring-oxm/src/test/java/org/springframework/oxm/xstream/XStreamMarshallerTests.java
+++ b/spring-oxm/src/test/java/org/springframework/oxm/xstream/XStreamMarshallerTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@
import com.thoughtworks.xstream.io.json.JettisonMappedXmlDriver;
import com.thoughtworks.xstream.io.json.JsonHierarchicalStreamDriver;
import com.thoughtworks.xstream.io.json.JsonWriter;
+import com.thoughtworks.xstream.security.AnyTypePermission;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.InOrder;
@@ -67,18 +68,21 @@
/**
* @author Arjen Poutsma
* @author Sam Brannen
+ * @author Juergen Hoeller
*/
class XStreamMarshallerTests {
private static final String EXPECTED_STRING = "