Security framework of XStream not initialized, XStream is probably vulnerable
I keep getting this console error in red while using XStream (1.4.10)
I tried the following:
XStream.setupDefaultSecurity(xs);
and
xs.addPermission(AnyTypePermission.ANY); xs.addPermission(NoTypePermission.NONE);
none of which got rid of it.
I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x
When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up.
Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.
This would be my set up which basically allows most of your code.
XStream xstream = new XStream(); // clear out existing permissions and set own ones xstream.addPermission(NoTypePermission.NONE); // allow some basics xstream.addPermission(NullPermission.NULL); xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.allowTypeHierarchy(Collection.class); // allow any type from the same package xstream.allowTypesByWildcard(new String[] { "com.your.package.**" }); However, after diving more into their source code, this is my take:
XStream.setupDefaultSecurity(this); // to be removed after 1.5 xstream.allowTypesByWildcard(new String[] { "com.your.package.**" }); So essentially, you will need just one line once upgrading to 1.5.
Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.
I had the same "problem" and solved it by allowing the relevant types:
Class<?>[] classes = new Class[] { ABC.class, XYZ.class }; XStream xStream = new XStream(); XStream.setupDefaultSecurity(xStream); xStream.allowTypes(classes); Maybe this also helps in your case.
Good luck!