Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Docs

  • Loading branch information...
commit d9d7fb6f9ad93a995e2436d991a409dda1322f6d 1 parent 4108927
Arjen Poutsma authored
Showing with 21 additions and 4 deletions.
  1. +21 −4 spring-framework-reference/src/oxm.xml
View
25 spring-framework-reference/src/oxm.xml
@@ -667,12 +667,29 @@ public class Application {
...
</beans>]]></programlisting>
- <note>
+ <warning>
<para>
- Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
- limited namespace support. As such, it is rather unsuitable for usage within Web services.
+ By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
+ vulnerabilities.
+ As such, it is recommended to set the <property>supportedClasses</property> property on the
+ <classname>XStreamMarshaller</classname>, like so:
+ <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
+ <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
+ ...
+</bean>]]></programlisting>
+ This will make sure that only the registered classes are eligible for unmarshalling.
</para>
- </note>
+ <para>
+ Additionally, you can register <ulink url="http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
+ custom converters</ulink> to make sure that only your supported classes can be unmarshalled.
+ </para>
+ </warning>
+ <note>
+ <para>
+ Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
+ limited namespace support. As such, it is rather unsuitable for usage within Web services.
+ </para>
+ </note>
</section>
</section>
</chapter>
Please sign in to comment.
Something went wrong with that request. Please try again.