Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Docs

  • Loading branch information...
commit d9d7fb6f9ad93a995e2436d991a409dda1322f6d 1 parent 4108927
authored

Showing 1 changed file with 21 additions and 4 deletions. Show diff stats Hide diff stats

  1. 25  spring-framework-reference/src/oxm.xml
25  spring-framework-reference/src/oxm.xml
@@ -667,12 +667,29 @@ public class Application {
667 667
     ...
668 668
 
669 669
 </beans>]]></programlisting>
670  
-            <note>
  670
+            <warning>
671 671
                 <para>
672  
-                    Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
673  
-                    limited namespace support. As such, it is rather unsuitable for usage within Web services.
  672
+                  By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
  673
+                  vulnerabilities.
  674
+                  As such, it is recommended to set the <property>supportedClasses</property> property on the
  675
+                  <classname>XStreamMarshaller</classname>, like so:
  676
+                  <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
  677
+    <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
  678
+    ...
  679
+</bean>]]></programlisting>
  680
+                  This will make sure that only the registered classes are eligible for unmarshalling.
674 681
                 </para>
675  
-            </note>
  682
+                <para>
  683
+                  Additionally, you can register <ulink url="http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
  684
+                  custom converters</ulink> to make sure that only your supported classes can be unmarshalled.
  685
+                </para>
  686
+            </warning>
  687
+          <note>
  688
+              <para>
  689
+                  Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
  690
+                  limited namespace support. As such, it is rather unsuitable for usage within Web services.
  691
+              </para>
  692
+          </note>
676 693
         </section>
677 694
     </section>
678 695
 </chapter>

0 notes on commit d9d7fb6

Please sign in to comment.
Something went wrong with that request. Please try again.