Package com.atlassian.confluence.setup.xstream

Interface ConfluenceXStream

All Known Subinterfaces:
ConfluenceXStreamInternal
All Known Implementing Classes:
ConfluenceXStreamImpl
public interface ConfluenceXStream
XStream wrapper to provide Object's XML based serialization and deserialization. Avoid using XStream directly to take advantages of Confluence's XStream storage backward-compatibility.
  • XStream 1.4.x brings its own security module, as opposed to the past where we had our own XStreamSecurityClassFilter . This security module required to work in allow-list mode is not enabled by default.

  • We have introduced a xstream.allowlist.enable system property which allows customers to enable the XStream allow list and block everything by default.

  • To make your plugin work with the security allowlist, enable xstream.allowlist.enable system property by setting it to true or start Confluence in dev mode.

  • Plugins can use a new xstream-security module in atlassian-plugin.xml to configure Confluence's XStreams with types, regex or wildcards. We strongly recommend plugins implement this to avoid XStream restrictions if a customer goes into more strict mode. See:  

    <xstream-security key = "xstream-set" name="Some XStream allowlist set">
     <type>com.atlassian.test.ExampleClass</type>
     <type>com.atlassian.test.AnotherExampleClass</type>
     <regex>com.atlassian.example.*</regex>
     <wildcard>com.some.package.**</wildcard>
 </xstream-security>
  • These types, regex or wildcards are in line with what XStream states in their documentation, See https://x-stream.github.io/security.html#example for more information.
  • XStream 1.4.18 will default to allow-list security behaviour.
Since:
7.10.0

  • Method Summary

    Modifier and Type
    Method
    Description
    Object
    fromXML(Reader reader)
    Deserialize an object from an XML Reader.
    Object
    fromXML(String xml)
    Deserialize an object from an XML String.
    String
    toXML(Object obj)
    Serialize an object to a pretty-printed XML String.
    void
    toXML(Object obj, Writer writer)
    Serialize an object to the given Writer as pretty-printed XML.

  • Method Details

    • toXML

      String toXML(Object obj)
      Serialize an object to a pretty-printed XML String.
      Throws:
      com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

    • toXML

      void toXML(Object obj, Writer writer)
      Serialize an object to the given Writer as pretty-printed XML. The Writer will be flushed afterwards and in case of an exception.
      Throws:
      com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

    • fromXML

      Object fromXML(String xml)
      Deserialize an object from an XML String.
      Throws:
      com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized

    • fromXML

      Object fromXML(Reader reader)
      Deserialize an object from an XML Reader.
      Throws:
      com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized