root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Docs 

git-svn-id: https://src.springframework.org/svn/spring-framework/trunk@3751 50f2f4bb-b051-0410-bef5-90022cba6387
This commit is contained in:
Arjen Poutsma 2010-10-13 14:19:48 +00:00
parent ff620e1f60
commit 716dd4a383
1 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
spring-framework-reference/src/oxm.xml
View File

@ -667,12 +667,29 @@ public class Application {
... ...
</beans>]]></programlisting> </beans>]]></programlisting>
<note> <warning>
<para> <para>
Note that XStream is an XML serialization library, not a data binding library. Therefore, it has By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
limited namespace support. As such, it is rather unsuitable for usage within Web services. vulnerabilities.
As such, it is recommended to set the <property>supportedClasses</property> property on the
<classname>XStreamMarshaller</classname>, like so:
<programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
<property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
...
</bean>]]></programlisting>
This will make sure that only the registered classes are eligible for unmarshalling.
</para> </para>
</note> <para>
Additionally, you can register <ulink url="http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
custom converters</ulink> to make sure that only your supported classes can be unmarshalled.
</para>
</warning>
<note>
<para>
Note that XStream is an XML serialization library, not a data binding library. Therefore, it has
limited namespace support. As such, it is rather unsuitable for usage within Web services.
</para>
</note>
</section> </section>
</section> </section>
</chapter> </chapter>