17.8.1XStreamMarshaller

TheXStreamMarshallerdoes not require any configuration, and can be configured in an application context directly. To further customize the XML, you can set analias map, which consists of string aliases mapped to classes:

<beans>
    <bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
        <property name="aliases">
            <props>
                <prop key="Flight">org.springframework.oxm.xstream.Flight</prop>
            </props>
        </property>
    </bean>
    ...
</beans>

By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security vulnerabilities. As such, it isnot recommended to use theXStreamMarshallerto unmarshal XML from external sources(i.e. the Web), as this can result insecurity vulnerabilities. If you do use theXStreamMarshallerto unmarshal XML from an external source, set thesupportedClassesproperty on theXStreamMarshaller, like so:...This will make sure that only the registered classes are eligible for unmarshalling.Additionally, you can registercustom convertersto make sure that only your supported classes can be unmarshalled. You might want to add aCatchAllConverteras the last converter in the list, in addition to converters that explicitly support the domain classes that should be supported. As a result, default XStream converters with lower priorities and possible security vulnerabilities do not get invoked.

Note that XStream is an XML serialization library, not a data binding library. Therefore, it has limited namespace support. As such, it is rather unsuitable for usage within Web services.