CatchAllConverter

XStream Converter that supports all classes, but throws exceptions for (un)marshalling.

The main purpose of this class is to register this converter as a catch-all last converter with a normal or higher priority, in addition to converters that explicitly handle the domain classes that should be supported. As a result, default XStream converters with lower priorities and possible security vulnerabilities do not get invoked.

For instance:

 XStreamMarshaller unmarshaller = new XStreamMarshaller(); unmarshaller.getXStream().registerConverter(new MyDomainClassConverter(), XStream.PRIORITY_VERY_HIGH); unmarshaller.getXStream().registerConverter(new CatchAllConverter(), XStream.PRIORITY_NORMAL); MyDomainClass myObject = unmarshaller.unmarshal(source); 

XStreamMarshaller

Implementation of the Marshaller interface for XStream.

By default, XStream does not require any further configuration and can (un)marshal any class on the classpath. As such, it is not recommended to use the XStreamMarshaller to unmarshal XML from external sources (i.e. the Web), as this can result in security vulnerabilities. If you do use the XStreamMarshaller to unmarshal external XML, set the supportedClasses and converters properties (possibly using a CatchAllConverter) or override the #customizeXStream(XStream) method to make sure it only accepts the classes you want it to support.

Due to XStream's API, it is required to set the encoding used for writing to OutputStreams. It defaults to UTF-8.

NOTE: XStream is an XML serialization library, not a data binding library. Therefore, it has limited namespace support. As such, it is rather unsuitable for usage within Web Services.

This marshaller requires XStream 1.4.5 or higher, as of Spring 4.3. Note that XStream construction has been reworked in 4.0, with the stream driver and the class loader getting passed into XStream itself now.