com.atlassian.confluence.setup.xstream

Interface ConfluenceXStream

All Known Subinterfaces:

ConfluenceXStreamInternal

All Known Implementing Classes:

ConfluenceXStreamImpl

public interface ConfluenceXStream

XStream wrapper to provide Object's XML based serialization and deserialization. Avoid using XStream directly to take advantages of Confluence's XStream storage backward-compatibility.

• XStream 1.4.x brings its own security module, as opposed to the past where we had our own XStreamSecurityClassFilter . This security module required to work in allow-list mode is not enabled by default.

• We have introduced a xstream.allowlist.enable system property which allows customers to enable the XStream allow list and block everything by default.

• To make your plugin work with the security allowlist, enable xstream.allowlist.enable system property by setting it to true or start Confluence in dev mode.

• Plugins can use a new xstream-security module in atlassian-plugin.xml to configure Confluence's XStreams with types, regex or wildcards. We strongly recommend plugins implement this to avoid XStream restrictions if a customer goes into more strict mode. See:
  

  <xstream-security key = "xstream-set" name="Some XStream allowlist set">
       <type>com.atlassian.test.ExampleClass</type>
       <type>com.atlassian.test.AnotherExampleClass</type>
       <regex>com.atlassian.example.*</regex>
       <wildcard>com.some.package.**</wildcard>
   </xstream-security>

• These types, regex or wildcards are in line with what XStream states in their documentation, See https://x-stream.github.io/security.html#example for more information.
• XStream 1.4.18 will default to allow-list security behaviour.

Since:

7.10.0

Method Summary

Modifier and Type	Method and Description
Object	fromXML(Reader reader) Deserialize an object from an XML Reader.
Object	fromXML(String xml) Deserialize an object from an XML String.
String	toXML(Object obj) Serialize an object to a pretty-printed XML String.
void	toXML(Object obj, Writer writer) Serialize an object to the given Writer as pretty-printed XML.

Method Detail

toXML

String toXML(Object obj)

Serialize an object to a pretty-printed XML String.

Throws:

com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

toXML

void toXML(Object obj,
           Writer writer)

Serialize an object to the given Writer as pretty-printed XML. The Writer will be flushed afterwards and in case of an exception.

Throws:

com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

fromXML

Object fromXML(String xml)

Deserialize an object from an XML String.

Throws:

com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized

fromXML

Object fromXML(Reader reader)

Deserialize an object from an XML Reader.

Throws:

com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized