diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -317,9 +317,6 @@
     private SecurityMapper securityMapper;
     private AnnotationConfiguration annotationConfiguration;
 
-    private transient boolean securityInitialized;
-    private transient boolean securityWarningGiven;
-
     public static final int NO_REFERENCES = 1001;
     public static final int ID_REFERENCES = 1002;
     public static final int XPATH_RELATIVE_REFERENCES = 1003;
@@ -334,16 +331,6 @@
 
     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-    private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
-    private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
-    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
-    private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-    private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
-    private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
-        "javafx\\.collections\\.ObservableList\\$.*");
-    private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
-    private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
 
     /**
      * Constructs a default XStream.
@@ -648,25 +635,86 @@ protected void setupSecurity() {
             return;
         }
 
-        addPermission(AnyTypePermission.ANY);
-        denyTypes(new String[]{
-            "java.beans.EventHandler", //
-            "java.lang.ProcessBuilder", //
-            "javax.imageio.ImageIO$ContainsFilter", //
-            "jdk.nashorn.internal.objects.NativeString", //
-            "com.sun.corba.se.impl.activation.ServerTableEntry", //
-            "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
-            "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
-            "sun.swing.SwingLazyValue"});
-        denyTypesByRegExp(new Pattern[]{
-            LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
-            JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
-        denyTypeHierarchy(InputStream.class);
-        denyTypeHierarchyDynamically("java.nio.channels.Channel");
-        denyTypeHierarchyDynamically("javax.activation.DataSource");
-        denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
-        allowTypeHierarchy(Exception.class);
-        securityInitialized = false;
+        addPermission(NoTypePermission.NONE);
+        addPermission(NullPermission.NULL);
+        addPermission(PrimitiveTypePermission.PRIMITIVES);
+        addPermission(ArrayTypePermission.ARRAYS);
+        addPermission(InterfaceTypePermission.INTERFACES);
+        allowTypeHierarchy(Calendar.class);
+        allowTypeHierarchy(Collection.class);
+        allowTypeHierarchy(Map.class);
+        allowTypeHierarchy(Map.Entry.class);
+        allowTypeHierarchy(Member.class);
+        allowTypeHierarchy(Number.class);
+        allowTypeHierarchy(Throwable.class);
+        allowTypeHierarchy(TimeZone.class);
+
+        Class type = JVM.loadClassForName("java.lang.Enum");
+        if (type != null) {
+            allowTypeHierarchy(type);
+        }
+        type = JVM.loadClassForName("java.nio.file.Path");
+        if (type != null) {
+            allowTypeHierarchy(type);
+        }
+
+        final Set types = new HashSet();
+        types.add(BitSet.class);
+        types.add(Charset.class);
+        types.add(Class.class);
+        types.add(Currency.class);
+        types.add(Date.class);
+        types.add(DecimalFormatSymbols.class);
+        types.add(File.class);
+        types.add(Locale.class);
+        types.add(Object.class);
+        types.add(Pattern.class);
+        types.add(StackTraceElement.class);
+        types.add(String.class);
+        types.add(StringBuffer.class);
+        types.add(JVM.loadClassForName("java.lang.StringBuilder"));
+        types.add(URL.class);
+        types.add(URI.class);
+        types.add(JVM.loadClassForName("java.util.UUID"));
+        if (JVM.isSQLAvailable()) {
+            types.add(JVM.loadClassForName("java.sql.Timestamp"));
+            types.add(JVM.loadClassForName("java.sql.Time"));
+            types.add(JVM.loadClassForName("java.sql.Date"));
+        }
+        if (JVM.isVersion(8)) {
+            allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
+            types.add(JVM.loadClassForName("java.time.Duration"));
+            types.add(JVM.loadClassForName("java.time.Instant"));
+            types.add(JVM.loadClassForName("java.time.LocalDate"));
+            types.add(JVM.loadClassForName("java.time.LocalDateTime"));
+            types.add(JVM.loadClassForName("java.time.LocalTime"));
+            types.add(JVM.loadClassForName("java.time.MonthDay"));
+            types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
+            types.add(JVM.loadClassForName("java.time.OffsetTime"));
+            types.add(JVM.loadClassForName("java.time.Period"));
+            types.add(JVM.loadClassForName("java.time.Ser"));
+            types.add(JVM.loadClassForName("java.time.Year"));
+            types.add(JVM.loadClassForName("java.time.YearMonth"));
+            types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
+            allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
+            types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
+            types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.Ser"));
+            allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
+            types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
+            types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
+        }
+        types.remove(null);
+
+        final Iterator iter = types.iterator();
+        final Class[] classes = new Class[types.size()];
+        for (int i = 0; i < classes.length; ++i) {
+            classes[i] = (Class)iter.next();
+        }
+        allowTypes(classes);
     }
 
     private void denyTypeHierarchyDynamically(String className) {
@@ -679,99 +727,16 @@ private void denyTypeHierarchyDynamically(String className) {
     /**
      * Setup the security framework of a XStream instance.
      * <p>
-     * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
-     * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
-     * therefore nothing in XStream 1.5.
+     * This method was a pure helper method for XStream 1.4.10 to 1.4.17.  It initialized an XStream instance with a
+     * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.18 by default.  This
+     * method will do therefore nothing in XStream 1.4.18 or higher.
      * </p>
      * 
      * @param xstream
      * @since 1.4.10
+     * @deprecated As of 1.4.18
      */
     public static void setupDefaultSecurity(final XStream xstream) {
-        if (!xstream.securityInitialized) {
-            xstream.addPermission(NoTypePermission.NONE);
-            xstream.addPermission(NullPermission.NULL);
-            xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
-            xstream.addPermission(ArrayTypePermission.ARRAYS);
-            xstream.addPermission(InterfaceTypePermission.INTERFACES);
-            xstream.allowTypeHierarchy(Calendar.class);
-            xstream.allowTypeHierarchy(Collection.class);
-            xstream.allowTypeHierarchy(Map.class);
-            xstream.allowTypeHierarchy(Map.Entry.class);
-            xstream.allowTypeHierarchy(Member.class);
-            xstream.allowTypeHierarchy(Number.class);
-            xstream.allowTypeHierarchy(Throwable.class);
-            xstream.allowTypeHierarchy(TimeZone.class);
-
-            Class type = JVM.loadClassForName("java.lang.Enum");
-            if (type != null) {
-                xstream.allowTypeHierarchy(type);
-            }
-            type = JVM.loadClassForName("java.nio.file.Path");
-            if (type != null) {
-                xstream.allowTypeHierarchy(type);
-            }
-
-            final Set types = new HashSet();
-            types.add(BitSet.class);
-            types.add(Charset.class);
-            types.add(Class.class);
-            types.add(Currency.class);
-            types.add(Date.class);
-            types.add(DecimalFormatSymbols.class);
-            types.add(File.class);
-            types.add(Locale.class);
-            types.add(Object.class);
-            types.add(Pattern.class);
-            types.add(StackTraceElement.class);
-            types.add(String.class);
-            types.add(StringBuffer.class);
-            types.add(JVM.loadClassForName("java.lang.StringBuilder"));
-            types.add(URL.class);
-            types.add(URI.class);
-            types.add(JVM.loadClassForName("java.util.UUID"));
-            if (JVM.isSQLAvailable()) {
-                types.add(JVM.loadClassForName("java.sql.Timestamp"));
-                types.add(JVM.loadClassForName("java.sql.Time"));
-                types.add(JVM.loadClassForName("java.sql.Date"));
-            }
-            if (JVM.isVersion(8)) {
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
-                types.add(JVM.loadClassForName("java.time.Duration"));
-                types.add(JVM.loadClassForName("java.time.Instant"));
-                types.add(JVM.loadClassForName("java.time.LocalDate"));
-                types.add(JVM.loadClassForName("java.time.LocalDateTime"));
-                types.add(JVM.loadClassForName("java.time.LocalTime"));
-                types.add(JVM.loadClassForName("java.time.MonthDay"));
-                types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
-                types.add(JVM.loadClassForName("java.time.OffsetTime"));
-                types.add(JVM.loadClassForName("java.time.Period"));
-                types.add(JVM.loadClassForName("java.time.Ser"));
-                types.add(JVM.loadClassForName("java.time.Year"));
-                types.add(JVM.loadClassForName("java.time.YearMonth"));
-                types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
-                types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
-                types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.Ser"));
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
-                types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
-                types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
-            }
-            types.remove(null);
-
-            final Iterator iter = types.iterator();
-            final Class[] classes = new Class[types.size()];
-            for (int i = 0; i < classes.length; ++i) {
-                classes[i] = (Class)iter.next();
-            }
-            xstream.allowTypes(classes);
-        } else {
-            throw new IllegalArgumentException("Security framework of XStream instance already initialized");
-        }
     }
 
     protected void setupAliases() {
@@ -1423,13 +1388,7 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
      */
     public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
         try {
-            if (!securityInitialized && !securityWarningGiven) {
-                securityWarningGiven = true;
-                System.err.println(
-                    "Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
-            }
             return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
-
         } catch (ConversionException e) {
             Package pkg = getClass().getPackage();
             String version = pkg != null ? pkg.getImplementationVersion() : null;
@@ -2257,7 +2216,6 @@ public void autodetectAnnotations(boolean mode) {
      */
     public void addPermission(TypePermission permission) {
         if (securityMapper != null) {
-            securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
             securityMapper.addPermission(permission);
         }
     }
@@ -2412,11 +2370,6 @@ public void denyTypesByWildcard(String[] patterns) {
         denyPermission(new WildcardTypePermission(patterns));
     }
 
-    private Object readResolve() {
-        securityWarningGiven = true;
-        return this;
-    }
-
     /**
      * @deprecated As of 1.3, use {@link com.thoughtworks.xstream.InitializationException} instead
      */

diff --git a/xstream/src/java/com/thoughtworks/xstream/XStreamer.java b/xstream/src/java/com/thoughtworks/xstream/XStreamer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2014, 2016, 2017, 2018 XStream Committers.
+ * Copyright (C) 2006, 2007, 2014, 2016, 2017, 2018, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -107,7 +107,6 @@ public String toXML(final XStream xstream, final Object obj) throws ObjectStream
     public void toXML(final XStream xstream, final Object obj, final Writer out)
             throws IOException {
         final XStream outer = new XStream();
-        XStream.setupDefaultSecurity(outer);
         final ObjectOutputStream oos = outer.createObjectOutputStream(out);
         try {
             oos.writeObject(xstream);
@@ -268,7 +267,6 @@ public Object fromXML(final HierarchicalStreamDriver driver, final Reader xml)
     public Object fromXML(final HierarchicalStreamDriver driver, final Reader xml, final TypePermission[] permissions)
             throws IOException, ClassNotFoundException {
         final XStream outer = new XStream(driver);
-        XStream.setupDefaultSecurity(outer);
         for(int i = 0; i < permissions.length; ++i) {
             outer.addPermission(permissions[i]);
         }

diff --git a/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java b/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2014, 2015 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2014, 2015, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -11,23 +11,9 @@
  */
 package com.thoughtworks.acceptance;
 
-import java.lang.reflect.AccessibleObject;
 import java.lang.reflect.Array;
-import java.net.URL;
-import java.nio.charset.Charset;
-import java.text.DecimalFormatSymbols;
-import java.util.BitSet;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Currency;
-import java.util.Date;
-import java.util.Locale;
-import java.util.Map;
-import java.util.TimeZone;
-import java.util.regex.Pattern;
 import java.io.ByteArrayOutputStream;
 import java.io.ByteArrayInputStream;
-import java.io.File;
 import java.io.StringReader;
 import java.io.StringWriter;
 
@@ -45,11 +31,6 @@
 import com.thoughtworks.xstream.io.binary.BinaryStreamWriter;
 import com.thoughtworks.xstream.io.binary.BinaryStreamReader;
 import com.thoughtworks.xstream.io.xml.XppDriver;
-import com.thoughtworks.xstream.security.ArrayTypePermission;
-import com.thoughtworks.xstream.security.InterfaceTypePermission;
-import com.thoughtworks.xstream.security.NoTypePermission;
-import com.thoughtworks.xstream.security.NullPermission;
-import com.thoughtworks.xstream.security.PrimitiveTypePermission;
 
 public abstract class AbstractAcceptanceTest extends TestCase {
 
@@ -78,23 +59,6 @@ protected HierarchicalStreamDriver createDriver() {
     }
 
     protected void setupSecurity(XStream xstream) {
-        xstream.addPermission(NoTypePermission.NONE); // clear out defaults
-        xstream.addPermission(NullPermission.NULL);
-        xstream.addPermission(ArrayTypePermission.ARRAYS);
-        xstream.addPermission(InterfaceTypePermission.INTERFACES);
-        xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
-        xstream.allowTypeHierarchy(AccessibleObject.class);
-        xstream.allowTypeHierarchy(Calendar.class);
-        xstream.allowTypeHierarchy(Collection.class);
-        xstream.allowTypeHierarchy(Map.class);
-        xstream.allowTypeHierarchy(Map.Entry.class);
-        xstream.allowTypeHierarchy(Number.class);
-        xstream.allowTypeHierarchy(TimeZone.class);
-        xstream.allowTypeHierarchy(Throwable.class);
-        xstream.allowTypes(new Class[]{
-            BitSet.class, Charset.class, Class.class, Currency.class, Date.class, DecimalFormatSymbols.class,
-            File.class, Locale.class, Object.class, Pattern.class, StackTraceElement.class, String.class,
-            StringBuffer.class, URL.class});
         xstream.allowTypesByWildcard(new String[]{
             AbstractAcceptanceTest.class.getPackage().getName()+".*objects.**",
             this.getClass().getName()+"$*"
@@ -110,8 +74,7 @@ protected Object assertBothWaysNormalized(Object root, String xml, final String
             assertEquals(
                 normalizedXML(xml, new String[]{match}, templateSelect, sortSelect), resultXml);
 
-            // Now deserialize the XML back into the object and check it equals the original
-            // object.
+            // Now deserialize the XML back into the object and check it equals the original object.
             Object resultRoot = xstream.fromXML(resultXml);
             assertObjectsEqual(root, resultRoot);
 

diff --git a/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java b/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2016, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2016, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -100,7 +100,6 @@ private void test(final HierarchicalStreamDriver driver, final String encoding)
             + "</test>";
 
         final XStream xstream = new XStream(driver);
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
         xstream.alias("test", TestObject.class);
         final TestObject obj = new TestObject();

diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java
@@ -205,7 +205,6 @@ public void testSerializeWithDomDriverAndPureJavaReflectionProviderAndActiveSecu
     }
 
     private void assertBothWays() {
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.objects.*"});
         xstream.alias("software", Software.class);
 

diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -25,6 +25,7 @@
 import com.thoughtworks.xstream.core.JVM;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
+import com.thoughtworks.xstream.security.ProxyTypePermission;
 
 
 /**
@@ -38,9 +39,8 @@ protected void setUp() throws Exception {
         super.setUp();
         BUFFER.setLength(0);
         xstream.alias("runnable", Runnable.class);
-    }
-
-    protected void setupSecurity(XStream xstream) {
+        xstream.allowTypeHierarchy(Runnable.class);
+        xstream.addPermission(ProxyTypePermission.PROXIES);
     }
 
     public void testCannotInjectEventHandler() {
@@ -64,28 +64,6 @@ public void testCannotInjectEventHandler() {
         assertEquals(0, BUFFER.length());
     }
 
-    public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
-        xstream.alias("runnable", Runnable.class);
-        final String xml = ""
-            + "<string class='runnable-array'>\n"
-            + "  <dynamic-proxy>\n"
-            + "    <interface>java.lang.Runnable</interface>\n"
-            + "    <handler class='java.beans.EventHandler'>\n"
-            + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-            + "      <action>exec</action>\n"
-            + "    </handler>\n"
-            + "  </dynamic-proxy>\n"
-            + "</string>";
-
-        try {
-            xstream.fromXML(xml);
-            fail("Thrown " + XStreamException.class.getName() + " expected");
-        } catch (final XStreamException e) {
-            assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) >= 0);
-        }
-        assertEquals(0, BUFFER.length());
-    }
-
     public void testExplicitlyConvertEventHandler() {
         final String xml = ""
             + "<string class='runnable-array'>\n"
@@ -106,39 +84,6 @@ public void testExplicitlyConvertEventHandler() {
         assertEquals("Executed!", BUFFER.toString());
     }
 
-    public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
-        if (JVM.isVersion(7)) {
-            final String xml = ""
-                + "<string class='javax.imageio.spi.FilterIterator'>\n"
-                + " <iter class='java.util.ArrayList$Itr'>\n"
-                + "   <cursor>0</cursor>\n"
-                + "   <lastRet>1</lastRet>\n"
-                + "   <expectedModCount>1</expectedModCount>\n"
-                + "   <outer-class>\n"
-                + "     <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
-                + "   </outer-class>\n"
-                + " </iter>\n"
-                + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
-                + "   <method>\n"
-                + "     <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
-                + "     <name>exec</name>\n"
-                + "     <parameter-types/>\n"
-                + "   </method>\n"
-                + "   <name>exec</name>\n"
-                + " </filter>\n"
-                + " <next/>\n"
-                + "</string>";
-
-            try {
-                xstream.fromXML(xml);
-                fail("Thrown " + XStreamException.class.getName() + " expected");
-            } catch (final XStreamException e) {
-                assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
-            }
-            assertEquals(0, BUFFER.length());
-        }
-    }
-
     public void testExplicitlyConvertImageIOContainsFilter() {
         if (JVM.isVersion(7)) {
             final String xml = ""
@@ -163,6 +108,7 @@ public void testExplicitlyConvertImageIOContainsFilter() {
                 + "</string>";
 
             xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
+            xstream.allowTypeHierarchy(Iterator.class);
 
             final Iterator iterator = (Iterator)xstream.fromXML(xml);
             assertEquals(0, BUFFER.length());
@@ -182,8 +128,8 @@ public void testInstanceOfVoid() {
         try {
             xstream.fromXML("<void/>");
             fail("Thrown " + ConversionException.class.getName() + " expected");
-        } catch (final ConversionException e) {
-            assertEquals("void", e.get("construction-type"));
+        } catch (final ForbiddenClassException e) {
+            // OK
         }
     }
 
@@ -208,18 +154,6 @@ public void testAllowedInstanceOfVoid() {
         }
     }
 
-    public static class LazyIterator {}
-
-    public void testInstanceOfLazyIterator() {
-        xstream.alias("lazy-iterator", LazyIterator.class);
-        try {
-            xstream.fromXML("<lazy-iterator/>");
-            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-        } catch (final ForbiddenClassException e) {
-            // OK
-        }
-    }
-
     public void testCannotUseJaxwsInputStreamToDeleteFile() {
         if (JVM.isVersion(5)) {
             final String xml = ""

diff --git a/...rc/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java b/...rc/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2017 XStream Committers.
+ * Copyright (C) 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -27,7 +27,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypes(new Class[]{
             FieldConverterTest.TaskWithAnnotations.class, ImplicitCollectionTest.ImplicitRootOne.class});
         xstream.registerConverter(new AnnotationReflectionConverter(xstream.getMapper(), xstream

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -30,7 +30,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.alias("simple", SimpleEnum.class);
         xstream.alias("polymorphic", PolymorphicEnum.class);
     }

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2017 XStream Committers.
+ * Copyright (C) 2008, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -30,7 +30,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypes(new Class[] {TypeWithEnums.class});
         xstream.alias("simple", SimpleEnum.class);
         xstream.alias("polymorphic", PolymorphicEnum.class);

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -24,7 +24,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
     }
 
     public void testIncludesEnumTypeInSerializedForm() {

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2017 XStream Committers.
+ * Copyright (C) 2008, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -34,7 +34,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
         xstream.alias("simple", SimpleEnum.class);
         xstream.alias("polymorphic", PolymorphicEnum.class);

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2013, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -24,7 +24,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
     }
 
     public void testPutsEnumsInCompactCommaSeparatedString() {

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2017 XStream Committers.
+ * Copyright (C) 2013, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -32,7 +32,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.alias("simple", SimpleEnum.class);
         xstream.alias("big", BigEnum.class);
         xstream.alias("polymorphic", PolymorphicEnum.class);

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004 Joe Walnes.
- * Copyright (C) 2006, 2007, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2013, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -44,7 +44,6 @@ protected void setUp() throws Exception {
         super.setUp();
         // fonts should be serializable also with pure Java
         xstream = new XStream(new PureJavaReflectionProvider());
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypes(new Class[] {Font.class, TextAttribute.class, TransformAttribute.class, AffineTransform.class});
         in = new Font("Arial", Font.BOLD, 20);
     }

diff --git a/...src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java b/...src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -26,7 +26,6 @@
     public void testCalendar() {
         final Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
         final XStream xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         final String xml = xstream.toXML(cal);
         final Calendar serialized = (Calendar)xstream.fromXML(xml);
         assertEquals(cal, serialized);

diff --git a/...c/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java b/...c/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -43,7 +43,6 @@ protected void tearDown() throws Exception {
 
     private XStream createXStream() {
         XStream xs = new XStream();
-        XStream.setupDefaultSecurity(xs);
         return xs;
     }
 

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -22,7 +22,6 @@
 
     private XStream createXStream() {
         XStream xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
         return xstream;
     }

diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2010, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2010, 2013, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -73,7 +73,6 @@ public void testSerializesAllPrimitiveFieldsInACustomObject() {
 
     private XStream createXStream() {
         XStream xstream = new XStream(new XppDriver());
-        XStream.setupDefaultSecurity(xstream);
         return xstream;
     }
 

diff --git a/...am/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java b/...am/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2014, 2017 XStream Committers.
+ * Copyright (C) 2007, 2014, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -29,7 +29,6 @@
 
     private XStream createXStream() {
         XStream xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
         return xstream;
     }

diff --git a/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java b/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
@@ -102,7 +102,6 @@ public DriverEndToEndTestSuite() {
 
     private void testObject(final HierarchicalStreamDriver driver) {
         final XStream xstream = new XStream(driver);
-        xstream.setupDefaultSecurity(xstream);
         xstream.allowTypes(new Class[] { SampleLists.class });
         xstream.registerConverter(new CollectionConverter(xstream.getMapper()) {
 

diff --git a/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java b/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2009, 2010, 2011, 2013, 2016, 2017, 2018 XStream Committers.
+ * Copyright (C) 2007, 2008, 2009, 2010, 2011, 2013, 2016, 2017, 2018, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -58,7 +58,6 @@ protected void setUp() throws Exception {
         super.setUp();
         TimeZoneChanger.change("UTC");
         xstream = new XStream(new JettisonMappedXmlDriver());
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[]{
             getClass().getName() + "$*", "com.thoughtworks.acceptance.objects.*"});
         xstream.alias("category", Category.class);
@@ -94,7 +93,6 @@ public void testJettisonConfigured()
             Configuration config = new Configuration();
             setTypeConverter.invoke(config, new Object[]{typeConverter});
             xstream = new XStream(new JettisonMappedXmlDriver(config));
-            XStream.setupDefaultSecurity(xstream);
             xstream.allowTypesByWildcard(new String[]{"com.thoughtworks.acceptance.objects.*"});
             xstream.alias("product", Product.class);
             Product product = new Product("Banana", "123", 23.00);

diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2017 XStream Committers.
+ * Copyright (C) 2013, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -31,7 +31,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.someobjects.*"});
         xstream.alias("x", X.class);
     }

diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -32,7 +32,6 @@
     protected void setUp() throws Exception {
         super.setUp();
         xstream = new XStream();
-        XStream.setupDefaultSecurity(xstream);
         xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.someobjects.*"});
         xstream.alias("x", X.class);
     }

diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -51,7 +51,6 @@ public void testCanOverloadStaxReaderAndWriterInstantiation() {
         System.setProperty(XMLOutputFactory.class.getName(), XMLOutputFactoryBase.class.getName());
         final MyStaxDriver driver = new MyStaxDriver();
         xstream = new XStream(driver);
-        XStream.setupDefaultSecurity(xstream);
         assertBothWays("Hi", "<?xml version='1.0' encoding='utf-8'?><string>Hi</string>");
         assertTrue(driver.createStaxReaderCalled);
         assertTrue(driver.createStaxWriterCalled);

diff --git a/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java b/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2017 XStream Committers.
+ * Copyright (C) 2008, 2009, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -61,7 +61,6 @@ private void clear(File dir) {
 
     private XStream createXStream() {
         XStream xstream = new XStream(new DomDriver());
-        XStream.setupDefaultSecurity(xstream);
         return xstream;
     }
 

diff --git a/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java b/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2007, 2008, 2009, 2017 XStream Committers.
+ * Copyright (C) 2007, 2008, 2009, 2017, 2021 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -59,7 +59,6 @@ private void clear(File dir) {
 
     private XStream createXStream() {
         XStream xstream = new XStream(new DomDriver());
-        XStream.setupDefaultSecurity(xstream);
         return xstream;
     }