Update security vulnerability test to test default.

xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -17,7 +17,7 @@
 import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
-import com.thoughtworks.xstream.security.ProxyTypePermission;
+import com.thoughtworks.xstream.security.NoTypePermission;
 
 
 /**
@@ -31,8 +31,9 @@ protected void setUp() throws Exception {
         super.setUp();
         BUFFER.setLength(0);
         xstream.alias("runnable", Runnable.class);
-        xstream.allowTypeHierarchy(Runnable.class);
-        xstream.addPermission(ProxyTypePermission.PROXIES);
+    }
+
+    protected void setupSecurity(XStream xstream) {
     }
 
     public void testCannotInjectEventHandler() {
@@ -57,7 +58,6 @@ public void testCannotInjectEventHandler() {
     }
 
     public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
-        xstream = new XStream(createDriver());
         xstream.alias("runnable", Runnable.class);
         final String xml = ""
             + "<string class='runnable-array'>\n"
@@ -109,6 +109,8 @@ public void exec() {
     }
 
     public void testDeniedInstanceOfVoid() {
+        xstream.addPermission(NoTypePermission.NONE); // clear out defaults
+        xstream.denyTypes(new Class[] {Void.class});
         try {
             xstream.fromXML("<void/>");
             fail("Thrown " + ForbiddenClassException.class.getName() + " expected");