Package com.atlassian.confluence.setup.xstream

Interface ConfluenceXStream

  • All Known Subinterfaces:
    ConfluenceXStreamInternal
    All Known Implementing Classes:
    ConfluenceXStreamImpl
    public interface ConfluenceXStream
    XStream wrapper to provide Object's XML based serialization and deserialization. Avoid using XStream directly to take advantages of Confluence's XStream storage backward-compatibility.
    • XStream 1.4.x brings its own security module, as opposed to the past where we had our own XStreamSecurityClassFilter . This security module required to work in allow-list mode is not enabled by default.

    • We have introduced a xstream.allowlist.enable system property which allows customers to enable the XStream allow list and block everything by default.

    • To make your plugin work with the security allowlist, enable xstream.allowlist.enable system property by setting it to true or start Confluence in dev mode.

    • Plugins can use a new xstream-security module in atlassian-plugin.xml to configure Confluence's XStreams with types, regex or wildcards. We strongly recommend plugins implement this to avoid XStream restrictions if a customer goes into more strict mode. See:  

      <xstream-security key = "xstream-set" name="Some XStream allowlist set">
     <type>com.atlassian.test.ExampleClass</type>
     <type>com.atlassian.test.AnotherExampleClass</type>
     <regex>com.atlassian.example.*</regex>
     <wildcard>com.some.package.**</wildcard>
 </xstream-security>
    • These types, regex or wildcards are in line with what XStream states in their documentation, See https://x-stream.github.io/security.html#example for more information.
    • XStream 1.4.18 will default to allow-list security behaviour.
    Since:
    7.10.0

    • Method Detail

      • toXML

        String toXML​(Object obj)
        Serialize an object to a pretty-printed XML String.
        Throws:
        com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

      • toXML

        void toXML​(Object obj,
           Writer writer)
        Serialize an object to the given Writer as pretty-printed XML. The Writer will be flushed afterwards and in case of an exception.
        Throws:
        com.thoughtworks.xstream.XStreamException - if the object cannot be serialized

      • fromXML

        Object fromXML​(String xml)
        Deserialize an object from an XML String.
        Throws:
        com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized

      • fromXML

        Object fromXML​(Reader reader)
        Deserialize an object from an XML Reader.
        Throws:
        com.thoughtworks.xstream.XStreamException - if the object cannot be deserialized