From 716dd4a383ffea3e570a970aebb33e3c1838007b Mon Sep 17 00:00:00 2001
From: Arjen Poutsma <apoutsma@vmware.com>
Date: Wed, 13 Oct 2010 14:19:48 +0000
Subject: [PATCH] Docs

git-svn-id: https://src.springframework.org/svn/spring-framework/trunk@3751 50f2f4bb-b051-0410-bef5-90022cba6387
---
 spring-framework-reference/src/oxm.xml | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/spring-framework-reference/src/oxm.xml b/spring-framework-reference/src/oxm.xml
index 7a33b990973..38c6ef69245 100644
--- a/spring-framework-reference/src/oxm.xml
+++ b/spring-framework-reference/src/oxm.xml
@@ -667,12 +667,29 @@ public class Application {
     ...
 
 </beans>]]></programlisting>
-            <note>
+            <warning>
                 <para>
-                    Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
-                    limited namespace support. As such, it is rather unsuitable for usage within Web services.
+                  By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
+                  vulnerabilities.
+                  As such, it is recommended to set the <property>supportedClasses</property> property on the
+                  <classname>XStreamMarshaller</classname>, like so:
+                  <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
+    <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
+    ...
+</bean>]]></programlisting>
+                  This will make sure that only the registered classes are eligible for unmarshalling.
                 </para>
-            </note>
+                <para>
+                  Additionally, you can register <ulink url="http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
+                  custom converters</ulink> to make sure that only your supported classes can be unmarshalled.
+                </para>
+            </warning>
+          <note>
+              <para>
+                  Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
+                  limited namespace support. As such, it is rather unsuitable for usage within Web services.
+              </para>
+          </note>
         </section>
     </section>
 </chapter>