Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21349: XStream - Change History

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVE
#sql#vulnerability#web#android#mac#windows#apple#google#dos#apache#js#git#java#oracle

Changes are split into following categories:

  • Major changes: The major new features that all users should know about.
  • Minor changes: Any smaller changes, including bugfixes.
  • Stream Compatibility: Changes affecting the persisted data.
  • API changes: Any changes to the API that could impact existing users.

Full details can be found in GitHub’s Issues, filter for the appropriate milestone.

1.4.19

Released January 29, 2022.

This maintenance release addresses the security vulnerability CVE-2021-43859, when unmarshalling highly recursive collections or maps causing a Denial of Service.

API changes

  • Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and c.t.x.XStream.COLLECTION_UPDATE_SECONDS.
  • Added c.t.x.XStream.setCollectionUpdateLimit(int).
  • Added c.t.x.core.SecurityUtils.
  • Added c.t.x.security.AbstractSecurityException and c.t.x.security.InputManipulationException.
  • c.t.x.security.InputManipulationException derives now from c.t.x.security.AbstractSecurityException.

1.4.18

Released August 22, 2021.

This maintenance release addresses following security vulnerabilities, when unmarshalling with an XStream instance using the default blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.

  • CVE-2021-39139
  • CVE-2021-39140
  • CVE-2021-39141
  • CVE-2021-39144
  • CVE-2021-39145
  • CVE-2021-39146
  • CVE-2021-39147
  • CVE-2021-39148
  • CVE-2021-39149
  • CVE-2021-39150
  • CVE-2021-39151
  • CVE-2021-39152
  • CVE-2021-39153
  • CVE-2021-39154

Minor changes

  • #233: Support serializable types with non-serializable parent with PureJavaReflectionConverter.

Stream compatibility

Starting with version 1.14.12 nine years ago, XStream contains a Security Framework to implement a black- or whitelist for the allowed types at deserialization time. Until version 1.4.17, XStream kept a default blacklist in order to deny all types of the Java runtime, which are used for all kinds of security attacks, in order to guarantee optimal runtime compatibility for existing users. However, this approach has failed. The last months have shown, that the Java runtime alone contains dozens of types that can be used for an attack, not even looking at the 3rd party libraries on a classpath. The new version of XStream uses therefore now by default a whitelist, which is recommended since nine years. It also has been complaining on the console for a long time about an uninitialized security framework the first time it was run. Anyone who has followed the advice and initialized the security framework for their own scenario can easily update to the new version without any problem. Everyone else will have to do a proper initialization now, otherwise the new version will fail with certainty at deserialization time.

1.4.17

Released May 13, 2021.

This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instance using an uninitialized security framework.

Stream compatibility

  • The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:
    • any type in the java.rmi.* and sun.rmi.* package hierarchies
    • the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl

1.4.16

Released March 13, 2021.

This maintenance release switches XStream’s default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instance using an uninitialized security framework.

  • CVE-2021-21341
  • CVE-2021-21342
  • CVE-2021-21343
  • CVE-2021-21344
  • CVE-2021-21345
  • CVE-2021-21346
  • CVE-2021-21347
  • CVE-2021-21348
  • CVE-2021-21349
  • CVE-2021-21350
  • CVE-2021-21351

Major changes

  • Switch from Xpp3 as default parser to MXParser, a fork of Xpp3.

Minor changes

  • #238: Fix possibility to process references on enum types at deserialization.
  • #237: Fix optimization in XmlFriendlyNameCoder.

Stream compatibility

  • The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:
    • the type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet
    • the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
    • the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
    • the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS
    • all inner classes of javafx.collections.ObservableList
    • an internal ClassLoader used in a private copy of BCEL within the Java runtime

Dependencies

The default parser of XStream has changed from the Xpp3Parser in artifact xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs have been fixed reported more than a decade ago, improvements by other forks have been incorporated and some endless loops have been fixed, that could have been utilized as DoS attack.

XStream has therefore new default dependencies. If you have used XStream with the default driver (i.e. Xpp3), you can still exchange the XStream library for a drop-in replacement, but you will also have to remove the Xpp3 and add the MXParser library instead.

For build time you will have to add the Xpp3 library to your dependencies, if you made explicitly use of the Xpp3 driver. If you did explicitly use a different driver than Xpp3 and had therefore excluded the Xpp3 dependency, you might have to exclude now the new MXParser dependency instead to minimize your dependency list.

1.4.15

Released December 13, 2020.

This maintenance release addresses the security vulnerabilities CVE-2020-26258 and CVE-2020-26259, when unmarshalling with XStream instance using an uninitialized security framework.

Minor changes

  • #226: XmlFriendlyNameCoder does not accept ‘9’ as valid character in an XML name.
  • #228: DefaultMapper should handle IllegalArgumentException thrown by Class.forName().

Stream compatibility

  • The type jdk.nashorn.internal.objects.NativeString and the internal JAX-WS type ReadAllStream.FileStream are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them.

Delivery

Any XStream release can run with a minimal Java runtime environment of Java 1.4 as long as this environment will process only requested classes of the jar file. Until version 1.4.14 XStream was delivered also as special Java 7 version for Android, because Dalvik scans all classes and fails at classes requiring a higher runtime version. However, this special version will not work in a normal Java 8 environment or higher and was never meant do so.

Unfortunately, this version has to be build always after the standard version due to the build sequence. The latest version in Maven Central however is always the one that has been deployed last independently from the time of publishing. This creates an annoyance now in GitHub for any project using the Dependabot service which creates automated pull requests with updates to the latest XStream version, because it injects now the special Java 7 version that probably breaks these projects.

Users who still require a special version for Java 7 will have to build this artifact now on their own. Users for even older Java environments had always to do so anyway.

1.4.14

Released November 16, 2020.

This maintenance release addresses the security vulnerability CVE-2020-26217, reported originally as CVE-2017-9805 for Struts’ XStream Plugin, an arbitrary execution of commands when unmarshalling with XStream instances using an uninitialized security framework.

Stream compatibility

  • The types java.lang.ProcessBuilder and javax.imageio.ImageIO$ContainsFilter are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them.

1.4.13

Released September 6, 2020.

Major changes

  • #218: Defer reflective access to Java core modules.
  • #207: New predefined blacklist avoids vulnerability due to improper setup of the security framework.

1.4.12

Released April 12, 2020.

Minor changes

  • XmlFriendlyNameCoder supports now XML parsers implementing only 4th edition of XML 1.0 specification.
  • Fix support of CDATA events in StAX.
  • #171: XStream.createObjectInputStream does not pass the DataHolder.
  • #151: Use of SPDX license identifier in POM and Manifest.
  • #152: Declare OSGi import of internal runtime packages as optional.
  • Drop Require-Capability entry in manifest.

1.4.11.1

Released October 27, 2018.

Hot fix

  • #133: XStream 1.4.11 fails to run on a Java Runtime < 8.

1.4.11

Released October 23, 2018.

This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling with XStream instances using an uninitialized security framework. Only 1.4.10 uninitialized security framework was affected.

Minor changes

  • #91, #106: Clean-up data stacks in UnmarshallingContext implementations in case of exception (by Märt Bakhoff).
  • #2: Unneeded contention in DefaultConverterLookup.
  • #94: Fix PathConverter containing absolute Windows paths.
  • #105: XStream’s ObjectInputStream returns wrong values for readUnsignedByte and readUnsignedShort.
  • XSTR-616 and #93: Introduce StringCodec interface to support arbitrary Base64 codec implementations for EncodedByteArrayConverter. Prefer Base64 codec implementations of the Java runtime over XStream’s own one.
  • #97: Support to run out of the box in a Java 1.4 runtime is established again.
  • Provide methods in AbstractCollectionConverter that read and write in a balanced way from and to the hierarchical stream.
  • New future-proof method JVM.isVersion to detect major version of Java runtime (incl. Java 10) as replacement for individual JVM.isXY methods.
  • #115: Dom4JDriver ignores character set of Dom4J configuration creating a Writer.
  • #116: Make converters null safe.
  • #123 and #124: Declare XPP dependencies for OSGi as optional.
  • Add XppDriver.createDefaultParser for a simpler access to the default XmlPullParserFactory.
  • Old BEA reference implementation of StAX is outdated, unmaintained and has security issues, therefore XStream’s driver has been deprecated.
  • Support for JaCoCo: FieldDictionary ignores synthetic fields starting with $jacoco as name.
  • Add integration test for OSGi (by Wes Wannemacher).

Stream compatibility

  • The EncodedByteArrayConverter will now use an encoder by default that does no longer add line breaks as normally required by the RFC 1521 after 76 characters, making it also easier to use the converter for attributes. This will not affect XStream’s Base64 decoder.

API changes

  • Added c.t.x.converters.collection.AbstractCollectionConverter.readBareItem(HierarchicalStreamReader, UnmarshallingContext, Object).
  • Added c.t.x.converters.collection.AbstractCollectionConverter.readCompleteItem(HierarchicalStreamReader, UnarshallingContext, Object).
  • Deprecated c.t.x.converters.collection.AbstractCollectionConverter.readItem(HierarchicalStreamReader, UnmarshallingContext, Object).
  • Added c.t.x.converters.collection.AbstractCollectionConverter.writeBareItem(Object, MarshallingContext, HierarchicalStreamWriter).
  • Added c.t.x.converters.collection.AbstractCollectionConverter.writeCompleteItem(Object, MarshallingContext, HierarchicalStreamWriter).
  • Deprecated c.t.x.converters.collection.AbstractCollectionConverter.writeItem(Object, MarshallingContext, HierarchicalStreamWriter).
  • Added c.t.x.converters.collection.AbstractCollectionConverter.writeNullItem(MarshallingContext, HierarchicalStreamWriter).
  • Added c.t.x.converters.extended.EncodedByteArrayConverter(StingCodec).
  • Added c.t.x.converters.extended.NamedCollectionConverter.readBareItem(HierarchicalStreamReader, UnmarshallingContext, Object).
  • Deprecated c.t.x.converters.extended.NamedCollectionConverter.readItem(HierarchicalStreamReader, UnmarshallingContext, Object).
  • Added c.t.x.converters.extended.NamedCollectionConverter.writeCompleteItem(Object, MarshallingContext, HierarchicalStreamWriter).
  • Deprecated c.t.x.converters.extended.NamedCollectionConverter.writeItem(Object, MarshallingContext, HierarchicalStreamWriter).
  • Added c.t.x.core.DefaultConverterLookup(Map).
  • Added c.t.x.core.util.JVM.getBase64Codec().
  • Added c.t.x.core.util.JVM.isVersion().
  • Deprecated c.t.x.core.util.JVM.is18().
  • Deprecated c.t.x.core.util.JVM.is9().
  • Deprecated c.t.x.io.ExtendedHierarchicalStreamReader.
  • Deprecated c.t.x.io.ExtendedHierarchicalStreamWriter.
  • Deprecated c.t.x.io.ExtendedHierarchicalStreamWriterHelper.
  • Deprecated c.t.x.io.xml.BEAStaxDriver.
  • Added c.t.x.io.xml.Dom4JReader.Dom4JReader(Branch).
  • Added c.t.x.io.xml.XppDriver.createDefaultParser().
  • Added c.t.x.core.util.StingCodec.

1.4.10

Released May 23, 2017.

This maintenance release addresses also the security vulnerability CVE-2017-7957, used for a Denial of Service attack by crashing the Java runtime.

Major changes

  • #84: New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).
  • Fix PrimitiveTypePermission to reject type void to prevent CVE-2017-7957 with an initialized security framework.
  • Improve performance by minimizing call stack of mapper chain.
  • #82, XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).
  • #29: JavaBeanConverter does not respect ignored unknown elements.
  • Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.
  • Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.

Stream Compatibility

  • The alias duration for type javax.xml.datatype.Duration has changed to xml-duration due to the support of the classes in the java.time package. duration is now used for type java.time.Duration. Simply register the alias duration again for type javax.xml.datatype.Duration if backward compatibility is required for this type.
  • All types of the java.time packages that have been written with previous versions of XStream can still be deserialized.

Minor changes

  • #54: Fix BeanProvider.canInstantiate(Class), method may not throw exception.
  • #76 and #77: Missing support for cascaded writeReplace calls.
  • #61: Regression in 1.4.9: Performance drop in ImplicitCollectionMapper.
  • #52: PathConverter fails for file paths with spaces.
  • PathConverter uses always forward slashes as path separator.
  • #53: SqlTimestampConverter cannot parse values without fraction.
  • #45: Support different time zones for SqlTimestampConverter.
  • #67 and #68: Allow usage of DataHolder for createObjectInputStream and createObjectOutputStream.
  • #75: Use java.time.* package instead of Joda-Time.
  • Dom4JXmlWriter does not flush writer at endDocument().
  • Path is an immutable type.
  • #65: Protect converter lookup against runtime errors.
  • Current Java 9 implementation reports itself as version 9 now.

API changes

  • Added c.t.x.util.JVM.is9().
  • Added c.t.x.XStream.setupDefaultSecurity(XStream).
  • Added c.t.x.XStream.createObjectInputStream(HierarchicalStreamReader, DataHolder) and c.t.x.XStream.createObjectOutputStream(HierarchicalStreamWriter, String, DataHolder).
  • Added c.t.x.converters.javabean.PropertyDictionary.propertyDescriptorOrNull(Class, String).
  • Added method c.t.x.mapper.Mapper.IsIgnoredElement(String)
  • Added c.t.x.mapper.ElementIgnoringMapper.
  • Deprecated method c.t.x.mapper.FieldAliasingMapper.addFieldsToIgnore(Pattern).
  • Deprecated method c.t.x.mapper.FieldAliasingMapper.omitField(Class, String).
  • Deprecated method c.t.x.core.util.JVM.is17().
  • Deprecated method c.t.x.core.util.JVM.is19().

1.4.9

Released March 15, 2016.

This maintenance release addresses also the security vulnerability CVE-2016-3674, known as XXE vulnerability that can be used to expose arbitrary data from the file system when unmarshalling.

Major changes

  • #25: Fix XXE vulnerability (CVE-2016-3674): Fixed affected drivers were Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver and WstxDriver. Still vulnerable are BEAStaxDriver and XomDriver. Processing of (external) entities has been disabled. See FAQ for more information.
  • Benchmark module has been deprecated in favor of JMH (Java Microbenchmarking Harness).
  • #33 and #38: Add converter for java.nio.file.Path (by Aaron Jonson).

Minor changes

  • #35: AnnotationMapper dropped silently constructor arguments for converters if they were equal.
  • Fix: Possible concurrency problem with XomDriver.
  • XSTR-773, #3: Minimize memory footprint by not keeping internal references to instances of immutable types.
  • Drop automatic reference support at deserialization time for immutable types before version 1.4 (primitive types and their boxed counterpart, java.lang.Class, java.lang.String, java.math.BigDecimal, java.math.BigInteger, java.io.File, java.net.URL, and java.awt.font.TextAttribute).
  • Fix: Implicit collection declaration is erroneously inherited or propagated to hidden field of same name.
  • XStreamConverter annotation supports null values as arguments for converter instantiation.
  • #5: Support null values for JavaBean properties.
  • #36: Fix NamedMapConverter, does not use SingleValueConverter of value if value is text of entry element.
  • #13: Own converter for javax.activation.ActivationDataFlavor, because ExternalizableConverter cannot handle a type that violates the Java specification.
  • #18: Minimize synchronized block in FieldDictionary.
  • XSTR-769: Synthetic fields with references to outer class use compiler dependent names.
  • XSTR-771: UUID is an immutable type by default.
  • #23: Constructor of AbstractXppDriver swallows causing exception.
  • #28: Fix functionality of ClassAliaslingMapper.itemTypeAsAttributes(Class).
  • #37: Historical Java 1.3 support suppresses causing exception of a thrown InvocationTargetException.
  • #41: Cannot instantiate ToAttributedValueConverter with null value for valueFieldName using XStreamConverter annotation.
  • Fix example code in description of security framework.
  • Clean-up usage of exceptions.

API changes

  • Added c.t.x.XStream.addImmutableType(Class, boolean) and deprecated c.t.x.XStream.addImmutableType(Class).
  • Added c.t.x.mapper.Mapper.isReferenceable(Class).
  • Added c.t.x.mapper.ImmutableTypesMapper.addImmutableType(Class, boolean) and deprecated c.t.x.mapper.ImmutableTypesMapper.addImmutableType(Class).
  • Added c.t.x.io.xml.Dom4JDriver.createReader().
  • Added c.t.x.io.xml.DomDriver.createDocumentBuilderFactory().
  • Added c.t.x.io.xml.JDomDriver.createBuilder().
  • Added c.t.x.io.xml.JDom2Driver.createBuilder().
  • Added c.t.x.io.xml.XomDriver.createBuilder().
  • Added constructor c.t.x.converter.extended.ToAttributedValueConverter.ToAttributedValueConverter(Class, Mapper, ReflectionProvider, ConverterLookup).
  • Added abstract c.t.x.converter.ErrorWritingException as common base for c.t.x.converter.ConversionException and c.t.x.converter.reflection.ObjectAccessException.
  • Deprecated c.t.x.io.xml.XomDriver(Builder), c.t.x.io.xml.XomDriver(Builder, NameCoder) and c.t.x.io.xml.XomDriver.getBuilder().
  • Deprecated c.t.x.mapper.ClassAliaslingMapper.itemTypeAsAttributes(Class) and c.t.x.mapper.ClassAliaslingMapper.aliasIsAttribute(String). Methods never called, left-over from old refactoring.

1.4.8

Released February 18, 2015.

Major changes

  • Support for serializable lambda expressions and handling of non-serializable ones.

Minor changes

  • Detect Java 9 runtime.
  • XSTR-767: Deserialization of referenced lambda expressions fail.
  • XSTR-762: Private method readResolve() called on base classes.
  • XSTR-761: Support ignored serialPersistentField at deserialization time.
  • XSTR-755: ExternalizableConverter does not respect writeReplace and readResolve.
  • XSTR-757: Deserialized TreeSet does not honor remove(Object) return value contract.
  • XSTR-759: Support deserialization of W3C datetime format in DateConverter with Java 7 runtime.
  • Fix: DateConverter ignores provided locale.
  • XSTR-768: ISO8601GregorianCalendarConverter may set invalid time zone for Joda-Time.
  • Fix: WeakCache.entrySet().iterator().next.setValue(value) returns the reference instead of the old value.
  • Fix: SqlTimestampConverter throws IllegalArgumentException instead of ConversionException on fromString().
  • Fix: CGLIBEnhancedConverter does not initialize transient members of parent after deserialization.
  • XSTR-763: Set scope of org.json:json to test instead declaring the dependency as optional.

API changes

  • Added c.t.x.util.JVM.is19().
  • Added c.t.x.converter.reflection.LambdaConverter and c.t.x.mapper.LambdaMapper.
  • Declare c.t.x.XStream.ignoreUnknownElements(Pattern) as public.
  • c.t.x.converters.reflection.AbstractReflectionConverter.readResolve() is protected now.
  • c.t.x.mapper.AbstractAttributeAliasingMapper.readResolve() is protected now.
  • Deprecated c.t.x.converters.extended.StackTraceElementFactory, it is an internal helper class.
  • Deprecated c.t.x.converters.reflection.SerializationMethodInvoker, it is an internal helper class.
  • Deprecated c.t.x.io.AttributeNameIterator, it is an internal helper class.
  • Deprecated c.t.x.XStream.useXStream11XmlFriendlyMapper(), corresponding c.t.x.mapper.XStream11XmlFriendlyMapper has been deprecated long ago.
  • Deprecated c.t.x.converter.basic.BooleanConverter.shouldConvert(Class,Object), undetected remainder of ancient XStream version.

1.4.7

Released February 8, 2014.

This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling.

Major changes

  • Add security framework to limit handled types while unmarshalling.
  • java.bean.EventHandler no longer handled automatically because of severe security vulnerability.
  • XSTR-751: New SunLimitedUnsafeReflectionProvider that uses undocumented features only to allocate new instances as required on Dalvik.
  • Fix instantiation of AnnotationMapper that requires ConverterLookup and ConverterRegistry to be the same instance.

Minor changes

  • XSTR-749: NPE if ReflectionConverter.canConvert(type) is called with null as argument.
  • XSTR-753: NPE if SerializationConverter.canConvert(type) is called with an interface type as argument that extends Serializable.
  • Add constructor to ReflectionConverter taking an additional type to create an instance that is dedicated to a specific type only.
  • The ConverterLookup used by default cannot be casted to a ConverterRegistry anymore.

API changes

  • Added package c.t.x.security with interface TypePermission, all its implementations and ForbiddenClassException.
  • Added c.t.x.mapper.SecurityMapper handling the new type permissions.
  • Added methods addPermission, denyPermission, allowTypesXXX and denyTypesXXX to c.t.x.XStream to setup security at unmarshalling time.
  • Added c.t.x.converters.reflection.SunLimitedUnsafeReflectionProvider.
  • Deprecated c.t.x.converters.reflection.Sun14ReflectionProvider in favor of new c.t.x.converters.reflection.SunUnsafeReflectionProvider.
  • Added c.t.x.converters.reflection.ReflectionConverter(Mapper,ReflectionProvider,Class).

1.4.6

Released December 12, 2013.

Major changes

  • XSTR-566 and XSTR-200: Better compatibility with GAE and environments with active SecurityManager (i.e. in an Applet). XStream converters try now to ensure already in the canConvert methods that they can handle the requested type in practice and not only theoretically. Additionally the implementations even better take care, that the initialization of a converter will not break the setup of XStream itself. Following modifications have been done for these topics:
    • ReflectionConverter, SerializationConverter and LookAndFieldConverter will check if they can access the fields by reflection for a requested type.
    • SerializationConverter and ExternalizableConverter will check if they can create an instance of a derived OutputObjectStream first.
    • BeanProvider does no longer use reflection to locate default constructor.
    • AbstractAttributedCharacterIteratorAttributeConverter (and therefore TextAttributeConverter) will check first if it can access the possible constants of the type by reflection.
    • NoClassDefFoundError raised in GAE accessing the fields of restricted types by reflection will be handled.
    • StackTraceElementConverter uses constructor for StackTraceElement instances in Java 5 and GEA.
  • XSTR-739 and XSTR-746: OrderRetainingMap fails if HashMap.putAll(Map) of Java Runtime is not implemented calling put for every element within the map.
  • New NamedArrayConverter to define names of inner elements.

Minor changes

  • XSTR-747: All constructors of StaxDriver derived classes take erroneously a XmlFriendlyNameCoder instead of a plain NameCoder.

API changes

  • Added c.t.x.converters.extended.NamedArrayConverter for free element names in arrays.
  • Added constructors to c.t.x.io.xml.StandardStaxDriver taking NameCoder instead of XmlFriendlyNameCoder.
  • Deprecated constructors of c.t.x.io.xml.StandardStaxDriver taking a XmlFriendlyNameCoder.
  • Added constructors to c.t.x.io.xml.BEAStaxDriver taking NameCoder instead of XmlFriendlyNameCoder.
  • Deprecated constructors of c.t.x.io.xml.BEAStaxDriver taking a XmlFriendlyNameCoder.
  • Added constructors to c.t.x.io.xml.WstxDriver taking NameCoder instead of XmlFriendlyNameCoder.
  • Deprecated constructors of c.t.x.io.xml.WstxDriver taking a XmlFriendlyNameCoder.
  • Added method canAccess to c.t.x.converter.reflection.AbstractReflectionConverter.
  • Added static method canCreateDerivedObjectOutputStream to c.t.x.core.JVM.
  • Deprecated unused member c.t.x.converter.javabean.BeanProvider.NO_PARAMS.
  • Deprecated unused method c.t.x.converter.javabean.BeanProvider.getDefaultConstrutor(Class).

1.4.5

Released September 18, 2013.

Major changes

  • XSTR-732: Use a referencing implementation for the ClassLoader to support environments where no new ClassLoader can be instantiated due to security restrictions.
  • XSTR-691: Allow unknown XML elements to be ignored using new method XStream.ignoreUnknownElements.
  • XSTR-728: XStream creates invalid JSON with JsonHierarchicalStreamDriver for custom converters since XStream 1.4.
  • XSTR-300: New EnumToStringConverter to support custom string representations of Enum values.
  • XSTR-292 and XSTR-405: New NamedMapConverter and NamedCollectionConverter to define names of inner elements.
  • XSTR-726: New annotation XStreamAliasType to support declarative definition of XStream.aliasType().
  • XSTR-735: Support for JDOM2 with JDom2Driver, JDom2Reader and JDom2Writer.
  • Optimized XML structure for java.awt.Font.
  • Fix: ToAttributedValueConverter silently appends fields without attribute support to the value producing mixed-mode XML.
  • XSTR-566 and XSTR-249: Better compatibility with Google AppEngine and J2ME, setup no longer fails for unavailable converters.

Minor changes

  • Fix missing manifest information.
  • XSTR-729: Add OSGi information to manifests.
  • XSTR-723: XStream will now detect a working enhanced mode dynamically instead using lists of known vendors. This allows enhanced support for JamVM if it is bundled with OpenJDK. It will currently fail on a runtime based on GNU Classpath (at least up to version 0.98).
  • XSTR-541: JavaScript compatibility problem with 64-bit integers in JSON.
  • XSTR-719: Support replacement of default converter in any case.
  • XSTR-725: processAnnotation performance improvement in concurrent situation.
  • XSTR-721: EnumConverter is more lenient while parsing constants.
  • New constructors for CollectionConverter and MapConverter to allow registration for an individual type.
  • XSTR-724: Cache class name lookup failures.
  • Current IBM JDK for Java 1.4.2 no longer has a reverse field ordering.
  • LongConverter supports now positive hex and octal numbers over Long.MAX_VALUE within 64 bit.
  • Fix: Sun14RefectionProvider ignores a provided FieldDictionary.
  • XSTR-457: Do not write ‘defined-in’ attribute if not needed.
  • JettisonMappedXmlDriver provides better support to overwrite its create methods.
  • XSTR-685: StAX based drivers (StaxDriver and JettisonMappedXmlDriver) are not closing internal input stream reading from file or URL.
  • XSTR-736: XStream.unmarshal may throw NPE if version info of manifest is missing.
  • XSTR-733: Implicit elements that match multiple defined implicit collections will be assigned to the map with the nearest matching element type.
  • XSTR-740: ISO8601GregorianCalendarConverter creates Calendar instance with wrong Locale in Java 7 if the Locale for the LocaleCategory.FORMAT is different to the global default Locale.
  • XSTR-578: Implement support for aliasing in JavaClasConverter, JavaFieldConverter and JavaMethodConverter. While it is not possible to enable this in general, new constructors have been added to these converters and an example in the acceptance tests (AliasTest).
  • XSTR-742: Register CompositeClassLoader in Java 7 as parallel capable.
  • XSTR-743: Support proxy collections of Hibernate Envers.
  • Fix NPE in AttributeMapper.shouldLookForSingleValueConverter if parameters fieldName and definedIn are null.
  • Implicit type argument can be omitted when registering converters with @XStreamConverter annotation.

API changes

  • Added c.t.x.converters.extended.NamedCollectionConverter for free element names in collections.
  • Added c.t.x.converters.extended.NamedMapConverter for free element names in maps.
  • Added c.t.x.io.xml.StandardStaxDriver to use the StAX implementation delivered with the Java 6 runtime.
  • Deprecated c.t.x.io.xml.SjsxpStaxDriver to select the internal StAX implementation of Oracle.
  • Added static methods getStaxInputFactory and getStaxOutputFactory to c.t.x.core.JVM as returning the implementations of javax.xml.stream.XMLInputFactory (resp. javax.xml.stream.XMLOutputFactory) delivered with the Java Runtime since Java 6.
  • Added c.t.x.core.ClassLoaderReference.
  • Added constructors taking an additional Class argument for c.t.x.converters.collections.CollectionConverter and c.t.x.converters.collections.MapConverter.
  • Added constructors taking a ClassLoaderReference instead of a ClassLoader and deprecated the ones taking the ClassLoader:
    • c.t.x.XStream
    • c.t.x.converters.extended.DynamicProxyConverter
    • c.t.x.converters.extended.JavaClassConverter
    • c.t.x.converters.extended.JavaFieldConverter
    • c.t.x.converters.extended.JavaMethodConverter
    • c.t.x.converters.reflection.CGLIBEnhancedConverter
    • c.t.x.converters.reflection.ExternalizableConverter
    • c.t.x.converters.reflection.SerializableConverter
    • c.t.x.mapper.AnnotationMapper
    • c.t.x.mapper.DefaultMapper
  • Added static methods newReflectionProvider, isAWTAvailable, isSQLAvailable and isSwingAvailable to c.t.x.core.JVM as replacement for the deprecated non-static methods.
  • Deprecated c.t.x.core.JVM() and all non-static methods.
  • Added method useImplicitType to c.t.x.annotations.XStreamConverter.
  • XSTR-722: Added c.t.x.converters.reflection.ReflectionProvider.getFieldOrNull(Class, String).
  • Deprecated c.t.x.converters.reflection.ReflectionProvider.fieldDefinedInClass(Class, String) in favor of new c.t.x.converters.reflection.ReflectionProvider.getFieldOrNull(Class, String).
  • Deprecated constructor c.t.x.converters.extended.RegexPatternConverter(Converter) in favor of c.t.x.converters.extended.RegexPatternConverter().
  • Deprecated default constructor of c.t.x.converters.extended.FontConverter in favor of c.t.x.converters.extended.FontConverter(Mapper).
  • Deprecated constructor c.t.x.converters.extended.ThrowableConverter(Converter) in favor of c.t.x.converters.extended.ThrowableConverter(ConverterLookup).
  • Deprecated class c.t.x.converters.reflection.SelfStreamingInstanceChecker and moved original implementation into c.t.x.core.util, since it is internal.
  • Deprecated interface c.t.x.mapper.AnnotationConfiguration.

1.4.4

Released January 19, 2013.

Minor changes

  • XSTR-709: Locks up on Mac with Apple JVM due to unwanted initialization of AWT.
  • XSTR-711: DateConverter cannot handle dates in different era.
  • XSTR-741: ToAttributedValueConverter fails to write enums as attributes.
  • XSTR-712: HibernateMapper throws NPE if a collection contains null.
  • DateConverter supports now localized formats.
  • XSTR-710: JsonWriter does not write BigInteger and BigDecimal as number values.
  • XSTR-708: SqlTimestampConverter does not ignore timezone.
  • XSTR-707: Creation of XmllPullParser with the XmlPullParserFactory may fail in OSGi environment.
  • XSTR-705: Unnecessary synchronization accessing the field cache decreases performance.
  • XSTR-714: Fields not found when XStream12FieldKeySorter used.

API changes

  • Deprecated method c.t.x.core.util.JVM.is14(), c.t.x.core.util.JVM.is15() and c.t.x.core.util.JVM.is16().

1.4.3

Released July 17, 2012.

Major changes

  • Support java.util.concurrent.ConcurrentHashMap with the MapConverter. This will also avoid a bug in JRockit JDK reported in XSTR-608.
  • XSTR-699: Support for Hibernate 4 with XStream’s Hibernate module as default for Java 6 or higher.

Minor changes

  • JVM.loadClass will now also initialize the loaded class and ignore any occurring LinkageError.
  • XSTR-596: SubjectConverter will be no longer registered if initialization of javax.security.auth.Subject fails.
  • XSTR-683: Inheritance of implicit collections, arrays or maps is dependent on declaration sequence.
  • Inherited implicit collections, arrays or maps can be overwritten with own definition in subtype.
  • XSTR-688: Cannot omit XML elements from derived fields.
  • XSTR-696: Ill-formed JSON generated, because JSON writer is fed with type of declaring field instead of the real object’s type.
  • XSTR-685: Deserialization from file or URL keeps stream open.
  • XSTR-684: XML 1.0 character validation fails for characters from 0x10 to 0x1f.
  • JavaBeanConverter supports now instantiation for a specific type and can therefore be used in @XStreamConverter annotation.
  • SerializableConverter is broken if the serialized type is the default implementation.
  • Method marshalUnserializableParent of SerializableConverter is protected now to skip the default mechanism in a derived converter that uses the default constructor to create the original type (as an alternative for XSTR-695).
  • FieldDictionary may call sort of FieldKeySorter implementation with wrong type as key.
  • Sometimes DependencyInjectionFactory tries to instantiate objects with mismatching constructor arguments.
  • HSQLDB has to be a test dependency only for XStream’s Hibernate module.

1.4.2

Released November 3, 2011.

Major changes

  • XStream libraries can be used now directly in Android, therefore support of Java 1.4.2 has been stopped with the delivery. Anyone who needs a version for Java 1.4.2 can build it easily from source, this build is still supported and part of CI.
  • XSTR-675: New extended HierarchicalStreamReader interface with peekNextChild method. All XStream readers implement the new interface (by Nikita Levyankov).
  • XSTR-673: Collections.EMPTY_LIST, Collections.EMPTY_SET and Collections.EMPTY_MAP supported with own alias and defined as immutable.
  • XSTR-631: Collections.singletonList(), Collections.singletonSet() and Collections.singletonMap() supported with own alias and own converters.
  • XSTR-406 + XSTR-663: Support additional parameters for XStreamConverter annotation (e.g. to declare a ToAttributedValueConverter).

Minor changes

  • WstxDriver did not trigger Woodstox, but BEA StAX implementation.
  • XSTR-260: PrettyPrintWriter does not handle tab and new line characters in attributes.
  • XSTR-667: Cannot serialize empty list with JsonHierarchicalStreamDriver.
  • XSTR-661: TreeMarshaller.CircularReference is not a ConversionException.
  • XSTR-562: StAX: Namespace attribute is not written in non-repairing mode for second sibling.
  • XSTR-664: ClassCastException in HibernatePersistentSortedSetConverter and HibernatePersistentSortedMapConverter.
  • XSTR-674: Recreate binary compatibility with 1.3.x series for method CustomObjectInputStream.getInstance(…).
  • XSTR-671: CannotResolveClassException should accept cause.
  • XSTR-672: Collections.EMPTY_LIST, Collections.EMPTY_SET and Collections.EMPTY_MAP used for in implicit collection should not throw ReferencedImplicitElementException.
  • XSTR-676: Introduce MissingFieldException thrown at deserialization time indicating a missing field or property (by Nikita Levyankov).
  • Add length limit for cached strings in StringConverter, 38 characters by default.
  • The JsonHierarchicalStreamDriver and the JsonWriter did not support the inherited NameCoder instance.
  • Add BinaryStreamDriver.
  • NPE in XppDomComparator.
  • Dom4JXmlWriter fails to flush the underlying writer.
  • Known control characters are not encoded with JsonWriter as proposed at json.org.
  • Detect duplicate property processing in JavaBeanConverter and throw DuplicatePropertyException instead of clobbering silently.
  • Allow access to Mapper and JavaBeanProvider in derived instances of JavaBeanConverter.
  • DependencyInjectionFactory failed to create instance when a matching constructor was found, but a default constructor was also present.

API changes

  • Added interface c.t.x.io.ExtendedHierarchicalStreamReader extending c.t.x.io.HierarchicalStreamReader. All implementations of c.t.x.io.HierarchicalStreamReader will implement also the extended interface.
  • Added c.t.x.converters.reflection.MissingFieldException derived from c.t.x.converters.reflection.ObjectAccessException and used instead when the unmarshalling process should write a field or property that is missing and does not exist.
  • Added methods c.t.x.io.path.PathTracker.peekElement(), c.t.x.io.path.PathTracker.peekElement(int), and c.t.x.io.path.PathTracker.depth().
  • Deprecated method c.t.x.core.ReferencingMarshallingContext.currentPath(). Wrong approach.

1.4.1

Released August 11, 2011.

Major changes

  • XSTR-659: Use again Xpp3 as default parser, now with additional XmlPullParser API as regular dependency for the XPP factory. Only standard kXML2 package contains the XPP factory, but not the minimal kXML2 version.

Minor changes

  • Add utility class c.t.x.io.xml.xppdom.XppFactory and a path tracking comparator for XppDom.

1.4

Released August 6, 2011.

Major changes

  • Java 7 is detected and supported.
  • XSTR-542: The XppDriver uses now the official XmlPullParser API to locate an available parser using the XmlPullParserFactory. This allows the usage of XPP technology with XStream in Android.
  • Additional explicit XPP drivers for the Xpp3 and kXML2 implementations.
  • Additional explicit XPP DOM drivers for the Xpp3 and kXML2 implementations.
  • kXML2 is now the preferred parser implementation, Xpp3 is optional.
  • Additional explicit StAX drivers for Woodstox, BEA StAX and SJSXP of the JDK 6 implementations.
  • JDK 1.3 is no longer officially supported.
  • XSTR-377+XSTR-226: New artifact xstream-hibernate with converters and mapper to process Hibernate object graphs (by Costin Leau, Konstantin Pribluda and in special Jaime Metcher).
  • New NameCoder interface and implementations to support a generic name translation between names from the object graph and a target format. The new XmlFriendlyNameCoder replaces the XmlFriendlyReplacer used for XML only.
  • XSTR-553: Support annotations in Android.
  • XSTR-556: DateConverter uses format with 3-letter time zones that are ambiguous. Therefore it will now always use UTC to write dates. Unmarshalled dates are not affected as long as they contain a time zone.
  • The type java.lang.reflect.Field is now handled by an own converter, that can still read the old format.
  • XSTR-490: Provide path in Converter for contexts that track the path.
  • XSTR-592+XSTR-579: OmitField respected at deserialization time even for existing fields.
  • XSTR-593: Direct support for java.net.URI instances (by Carlos Roman).
  • XSTR-615+XSTR-580: Dynamic proxies cannot be referenced recursively.
  • XSTR-547: Wrong class loader used for Serializable types deserialized with an ObjectInputStream.
  • XSTR-341: Support of implicit arrays.
  • XSTR-306+XSTR-406: Support of implicit maps.
  • XSTR-344: New ToAttributedValueConverter to allow conversion of an element with string body and attributes.
  • XSTR-573: SortedSet added with TreeSet as the default implementation.
  • XSTR-576: TreeMap and TreeSet no longer add an element without comparator (by Jason Greanya), solves also invalid format with JSON for such objects (XSTR-640).

Minor changes

  • XSTR-612: Improve extensibility of c.t.x.javabean.* package by reintroducing a PropertyDictionary with the additional interface PropertySorter.
  • XSTR-591: EnumSingleValueConverter did use toString() instead of name() to create the String representation of an enum value.
  • XSTR-618: Add Oracle as vendor used for recent JRockit versions and former Sun JDK.
  • XSTR-656: DomReader and Dom4JReader do not escape attribute names retrieving their values.
  • XSTR-604: StringConverter’s cache may cause an OutOfMemoryException.
  • XSTR-577: Skip UTF-8 BOM in XmlHeaderAwareReader.
  • The XppReader no longer uses a BufferedReader.
  • XSTR-543: Better deserialization support of the defined-in system attribute in combination with field aliases.
  • XSTR-551: Deprecated XStream.InitializationException still thrown instead of InitializationException.
  • XSTR-655: JsonWriter generates invalid JSON for Externalizable types.
  • XSTR-540: Support Jettison-based configuration of JettisonMappedXmlDriver (by Doug Daniels).
  • XSTR-633: JettisonMappedXmlDriver escaped property names according escape rules for XML tag names.
  • XSTR-625: Optionally ignore XStream’s hints for Jettison to generate JSON arrays (by Dejan Bosanac).
  • XSTR-605: Upgrade to Jettison 1.2 (for Java 5 or higher).
  • New JsonWriter.EXPLICIT_MODE generating JSON that enforces property sequence.
  • XSTR-552: Improve performance of ReflectionProvider (by Keith Kowalczykowski).
  • XSTR-559: Improve performance of Sun14ReflectionProvider (by Keith Kowalczykowski).
  • XSTR-564: Improve performance of AnnotationMapper (by Keith Kowalczykowski).
  • XSTR-563: Use ReferenceQueue for cleaning-up WeakReferences in ObjectIdDictionary (by Keith Kowalczykowski).
  • XSTR-646: Cache of Sun14ReflectionProvider consumes more PermGen space than necessary.
  • XSTR-636: Ineffective cache in FieldDictionary using WeakHashMap with WeakReference values.
  • Ineffective cache for SerializationMethodInvoker (related to XSTR-636).
  • Introduction of Caching interface implemented by all types in XStream that create local caches that may have to be flushed manually.
  • Avoid excessive creation of AbstractPullReader.Event objects by using a pool.
  • Possibility to generate XPath expressions that select always a single node instead of a node list.
  • Cannot reference replaced object using ID references.
  • Implicit collection functionality will no longer use custom collection converters that may write tags that are not recognized at deserialization time again.
  • XSTR-654: Unmarshal fails when an implicit collection is defined and an element is named equal to the field.
  • XSTR-574: AbstractReferenceUnmarshaller cannot handle null values for references.
  • Improve exception output in case of a missing field.
  • XSTR-555: StAX driver tests do not honor repairing mode.
  • XSTR-570: The @XStreamConverter provides now also the current type as possible constructor argument.
  • XSTR-629: Deserialization of Externalizable with non-accessible default constructor fails.
  • XSTR-571: Cannot serialize synchronized RandomAccessList types.
  • XSTR-583: BinaryDriver fails to handle Strings with more than 64K bytes.
  • XSTR-639: Cannot omit field at deserialization if the field has a class attribute.
  • XSTR-599: EncodedByteArrayConverter should implement SingleValueConverter.
  • XSTR-584: Race condition in XmlFriendlyReplacer.
  • XSTR-623: XmlFriendlyReplacer may write illegal name characters (by Michael Schnell).
  • The ConversionException hides information if its ErrorWriter contains the added key already.
  • XSTR-598: Attribute “defined-in” was wrongly evaluated for other attributes.
  • XSTR-650: Possible NullPointerException at initialization on platforms like Android that do not support all types of the JDK.
  • XSTR-652: Initialization of XStream fails if DurationConverter constructor throws a javax.xml.datatype.DatatypeConfigurationException. Converter will no longer handle Duration types if no instance of the internal DatatypeFactory can be created.
  • Constructor DocumentWriter(Element) forgets the provided element.
  • XSTR-597: Optimize AbstractReflectionConverter.
  • Introduce Caching interface to flush the internal cache of specific components.
  • Support XSTR-407 also for IBM JRE 1.6 and greater.
  • java.nio.charset.Charset’s converter was added as immutable type instead of the type itself.
  • java.util.Currency added as immutable type.
  • Fix selection of same parameter types in DependencyInjectionFactory.
  • Deprecation of c.t.x.javabean.PropertyDictionary has been countermanded.

API changes

  • Any deprecated stuff of the 1.2.x releases has been removed.
  • Deprecated constructors of c.t.x.converters.reflection.SerializableConverter, c.t.x.converters.reflection.ExternalizableConverter and c.t.x.converters.reflection.CGLIBEnhancedConverter; new versions take an additional argument for class loader (as a result for XSTR-547).
  • Deprecated constructors of c.t.x.io.xml.XppReader, new versions take an additional argument for the XmlPullParser.
  • Deprecated c.t.x.io.xml.XppReader.createParser(), the XPP parser is now created by the driver.
  • Package c.t.x.io.xml.xppdom is now part of the official API.
  • c.t.x.io.xml.xppdom.Xpp3Dom and c.t.x.io.xmlxpp.dom.Xpp3DomBuilder have been deprecated. Functionality is merged in c.t.x.io.xml.xppdom.XppDom.
  • Deprecated c.t.x.mapper.XStream11XmlFriendlyMapper and c.t.x.mapper.AbstractXmlFriendlyMapper.
  • Added interface c.t.x.core.ReferencingMarshallingContext which is implemented by all referencing marshallers.
  • Added interface c.t.x.io.naming.NameCoder and implementations.
  • Deprecated c.t.x.io.xml.XmlFriendlyReplacer, c.t.x.io.xml.XmlFriendlyReader and c.t.x.io.xml.XmlFriendlyWriter.
  • Deprecated c.t.x.io.xml.AbstractXmlDriver, c.t.x.io.xml.AbstractXmlReader and c.t.x.io.xml.AbstractXmlWriter, added c.t.x.io.AbstractDriver, c.t.x.io.AbstractReader and c.t.x.io.AbstractWriter instead.
  • Deprecated all constructors of Driver, Reader and Writer implementations that take a XmlFriendlyReplacer as argument, added constructors taking a NameCoder instead.
  • Added interface com.thoughtworks.xstream.converters.ErrorReporter to allow other types to report also errors (apart from a HierarchicalStreamReader). Any converter and the parent object of the currently deserialized element may provide additional error information now.

1.3.1

Released December 6, 2008.

CGLIB support must be explicitly activated now. The decision has been made due to possible problems using an own classloader and because of ongoing complaints about occurring exceptions in the CGLIBEnhancedConverter at XStream initialization although they are caused by incompatible ASM versions on the user’s classpath (XSTR-469, XSTR-513 and XSTR-518).

XStream uses some attributes on its own. Until now it was possible to use XStream.aliasAttribute to define a different name. This does still work but is deprecated for system attributes. Use the new call XStream.aliasSystemAttribute for such an alias.

Major changes

  • XSTR-515: CGLIB support is no longer activated automatically and has to be explicitly turned on.
  • XSTR-448: Separated system attributes and user defined attributes for aliases.
  • XSTR-55: Ability to alias a package name.
  • XSTR-434: New JsonWriter instead of JsonHierarchicalStreamWriter with mode to strip root node of generated JSON (by Paul Hammant).
  • Support for Diablo JDK on FreeBSD (by Reto Bachmann-Gmür).
  • XSTR-495: New PersistenceStrategy instead of StreamStrategy (based on the code and comments by Alexander Radzin).

Minor changes

  • Support special Jettison functionality for JSON to detect collections or arrays with one element introduced with Jettison 1.0.
  • XSTR-493: Using attributes for fields with XML-unfriendly names results in NPE at deserialization.
  • XSTR-497: Unsafe operation with WeakHashMap can raise a NPE in Sun14ReflectionProvider.
  • XSTR-423: Support of CGLIB enhanced proxies with multiple callbacks if the proxy uses a factory (CGLIB default).
  • XSTR-536: XStream silently ignores unknown elements.
  • XSTR-503: Omitted properties in JavaBeans are requested at serialization (by Kevin Conaway).
  • Fix possible memory leak in ObjectIdMap for JVMs that provide real distinct identity hash codes (happened on amd64 system).
  • XSTR-480: Aliasing of array types.
  • XSTR-515: The SubjectConverter and DurationConverter are only registered if the converted class is part of the JDK, otherwise they must be registered now explicitly.
  • XSTR-504: XmlHeaderAwareReader fails with improper sized PushbackInputStream.
  • XSTR-489: @XStreamConverter supports now also SingleValueConverter implementations.
  • XSTR-481: @XStreamConverter and @XStreamAsAttribute can be used together (as a result of XSTR-489).
  • XSTR-519: New annotation @XStreamInclude to force annotation detection of included types (by Seven Sparling).
  • XSTR-469: Support custom converters for enum types.
  • XSTR-502: ClassNotFoundException even if writeReplace returns proper object.
  • XSTR-529: NullPointerException for null elements in implicit lists.
  • XSTR-517: Miscellaneous performance improvements (by Tatu Saloranta).
  • XSTR-525: JsonHierarchicalStreamDriver writes invalid JSON in case of system attribute.
  • XSTR-535: Mode to allow plain values as result for JSON without root node.
  • XSTR-531: Possibility to omit system attributes.
  • XSTR-508: Fix marshalling error for nested serializable objects with own writeReplace/readResolve methods.
  • XSTR-507: Advanced ReferenceByIdMarshaller uses id of the current object if available.
  • XSTR-485: Check reference for valid object when deserializing.
  • Fix classloader problem, Xpp3 parser cannot be loaded within a web application.
  • Dependencies have been updated to latest versions of JDOM, Jettison, Joda Time, and Woodstox. Note for Maven builds that the groupId of JDOM has changed.
  • Fix possible IndexOutOfBoundsException creating returning the message for a ConversionException.
  • XSTR-495: StreamStrategy cannot handle key with value null.

API changes

  • Deprecated c.t.x.io.json.JsonHierarchicalStreamWriter in favour of c.t.x.io.json.JsonWriter.
  • c.t.x.mapper.EnumMapper no longer derives from the c.t.x.mapper.AttributeMapper as it has been before version 1.3. Therefore the new constructor has been deprecated in favour of the old one.
  • c.t.x.mapper.Mapper.getConverterFromAttribute(Class, String) has been deprecated in favour of c.t.x.mapper.Mapper.getConverterFromAttribute(Class, String, Class) taking the type as third argument that should be handled by the converter.
  • c.t.x.core.ReferenceByIdMarshaller.IdGenerator.next() has now the current object as argument.
  • New c.t.x.persistence.PersistenceStrategy and c.t.x.persistence.FilePersistenceStrategy.
  • Deprecated c.t.x.persistence.StreamStrategy and c.t.x.persistence.FileStreamStrategy.

1.3

Released February 27, 2008.

Major changes

  • ReflectionConverter writes now the fields of the parent classes first.
  • Support for Converter definition at field level.
  • Refactoring of Annotation support, invent auto-detection mode.
  • Annotated converters are no longer detected automatically, all annotations are now handled in the same way.
  • XSTR-334: XStream will deserialize directly from a file or URL. Some parser take advantage of these objects to define a SystemId used to resolve further references in XML, schema or DTD. Appropriate createReader methods have been added to c.t.x.io.HierarchicalStreamDriver.
  • XSTR-261: All c.t.x.io.HierarchicalStreamDriver implementations respect now the encoding of an XML header if read from an InputStream.
  • DomDriver does no longer use explicitly UTF-8 by default, DomReader will therefore respect the encoding defined in the XML header or use native encoding
  • XSTR-415: JavaBeanConverter uses now BeanIntrospection (by Hinse ter Schuur).
  • XSTR-424: DateConverter uses now by default SimpleDateFormat instances in non-lenient mode.
  • XSTR-386: SingleValueConverter that utilizes PropertyEditor implementations (by Jukka Lindström).
  • XSTR-427: Converter for javax.xml.datatype.Duration (by John Kristian).
  • XSTR-305: Field alias inheritance (by David Blevins).
  • XStream failed to initialize in environments without AWT or SQL classes.
  • XSTR-420: XPath of references are not XmlFriendly encoded.
  • XSTR-473: String “\0” serialized as invalid XML, support compliant behaviour according XML version.
  • XSTR-431: Direct support of enhanced mode for SAP JVM (thanks to Norbert Kuck by SAP).
  • XSTR-437: Static cache in annotation processing causes failing OSGi bundles.
  • XSTR-279+XSTR-335: Annotations are not inherited from parent class.
  • Fix StringConverter using a WeakHashMap with strong references in its value.
  • XSTR-403: Attributes are no longer written with JSONHierarchicalStreamDriver if current object is a collection.
  • XSTR-456: New LookAndFeelConverter handling LookAndFeel implementations with reflection.
  • XSTR-462: CachingMapper keeps direct class references.
  • XSTR-411: JsonHierarchicalStreamDriver does not escape characters according RFC 4627.
  • JsonHierarchicalStreamDriver writes wrong brackets around complex Java types with a single value.
  • JsonHierarchicalStreamDriver writes attribute names with a leading '@’.
  • JsonHierarchicalStreamDriver supports Map implementations.

Minor changes

  • Added converter for java.lang.StringBuilder instances.
  • Added converter for java.util.UUID instances.
  • XSTR-430: Fields written as attributes could not be omitted.
  • XSTR-407: Comparator might access uninitialized elements for TreeSet and TreeMap. A deserialized Comparator is no longer called, the converters expect the elements now in a sorted order.
  • XSTR-404, @XStreamImplicit() for ArrayList<ArrayList<Type>> throws ClassCastException.
  • @XStreamContainedType() for ArrayList<ArrayList<Type>> throws ClassCastException.
  • XStreamer did not persist a FieldKeySorter instance.
  • XSTR-241: JavaBeanConverter now supports customized BeanProvider.
  • XSTR-280: JavaBeanConverter now supports aliasField and omitField (by Hinse ter Schuur).
  • XSTR-280: SerializationConverter now supports aliasField and omitField.
  • XSTR-429: XmlFriendlyReplacer support for SaxWriter and TraxSource (by Adrian Wilkens).
  • XSTR-421: Characters cannot be written as attribute.
  • XSTR-426: java.swt.KeyStroke not properly serialized because of a character undefined in unicode.
  • XSTR-352: Strings with arbitrary ISO control characters are not properly serialized.
  • XSTR-428: An attribute named like a transient field did abort deserialization of following fields.
  • XSTR-443: XStream.createObjectOutputStream does not use the given driver to create the HierarchicalStreamWriter.
  • XSTR-440: Implicit collections can be declared for fields that are not of Collection type.
  • XSTR-446: Handle all primitives and their boxed counterpart for JsonHierarchicalStreamDriver.
  • XSTR-447: Fix deserialization of Array class types in JDK 6 (see JDK bug 6500212).
  • XSTR-450: @XStreamAlias is ignored if attributes should be used for the field type.
  • XSTR-418: Inherited @XStreamAlias is ignored if field should be rendered as attribute.
  • XSTR-393: Annotation processing is not consistent.
  • XSTR-412: @XStreamImplicit throws NPE for untyped collections.
  • XSTR-463: Cannot provide own default Mapper chain.
  • XSTR-464: Cannot provide a ClassLoader that is used in all cases.
  • XSTR-394: Allow enums as attributes.
  • XSTR-413: Support @XStreamAsAttribute for enums.
  • XSTR-478: Cannot specify default implementation for polymorphic enum.
  • XSTR-419: Treat enums as immutable types.
  • Update annotation tutorial, explain limitations of auto-detection mode.
  • Added copyright notices to all files.
  • StaxWriter.flush did close Stax’ XMLStreamWriter instead of flushing it.
  • XSTR-471: XStream POMs do no longer declare a repository at all.
  • Calendar object could not be rendered with JSONHierarchicalStreamDriver.
  • XSTR-476: Properties can be sorted by key.
  • XStream.createObjectInputStream and XStream.createObjectOutputStream overloaded to support a binary InputStream or OutputStream.
  • XSTR-470: Allow transient fields to be optionally deserialized.

API changes

  • c.t.x.annotation.Annotations, c.t.x.annotation.AnnotationReflectionConverter and c.t.x.annotation.AnnotationProvider deprecated. Functionality is integrated in new c.t.x.mapper.AnnotationMapper and accessible with new methods c.t.x.XStream.processAnnotations().
  • New auto-detection mode for annotations, that can be turned on with c.t.x.XStream.autodetectAnnotations()
  • c.t.x.annotation.@XStreamContainedType deprecated, the behaviour is now always active and the annotation therefore superfluous.
  • Due to XSTR-421 null characters are no longer written as tag with an attribute (<char null="true"/>), but as empty tag. The old representation is still supported at deserialization.
  • Characters that are not defined in unicode or ISO control characters (expect TAB and LF) are written as numerical entity now.
  • XPath references are now also XML-friendly encoded to match the path exactly. Unencoded references will normally work anyway, but in special cases the exact behaviour of XStream 1.2.x might be necessary. See acceptance tests for XStream 1.2.x compatibility.
  • c.t.x.core.BaseException deprecated in favour of c.t.x.XStreamException as base exception for all exceptions XStream throws.
  • c.t.x.XStream.InitializerException deprecated in favour of c.t.x.InitializerException.
  • New methods get() and keys() in interface c.t.x.converter.ErrorWriter.
  • c.t.x.mapper.XmlFriendlyMapper deprecated, technology is replaced since version 1.2 by c.t.x.io.xml.XmlFriendlyReplacer as part of the different XmlWriter implementations.
  • c.t.x.mapper.Mapper.aliasForAttribute() and c.t.x.mapper.Mapper.attributeForAlias() deprecated, since it provided in reality the combined functionality of c.t.x.mapper.Mapper.serializedMember()/realMember() and c.t.x.mapper.Mapper.getConverterFromItemType().
  • c.t.x.XStream(ReflectionProvider, Mapper, HierarchicalStreamDriver) deprecated, in favour of c.t.x.XStream(ReflectionProvider, HierarchicalStreamDriver, Mapper, ClassLoader).
  • New interface c.t.x.converter.ConverterRegistry to express explicit functionality managing the converters.
  • c.t.x.core.DefaultConverterLookup no longer uses a c.t.x.mapper.Mapper. Therefore the old constructor has been deprecated in favour of a default constructor.
  • Overloaded methods of c.t.x.mapper.Mapper.getConverterFromItemType and c.t.x.mapper.Mapper.getConverterFromAttribute have been deprecated. Only one version has been kept, the implementation can handle all cases now at once and therefore multiple calls to the mapper chain are avoided.
  • c.t.x.mapper.EnumMapper derives now from the c.t.x.mapper.AttributeMapper to support enums as attributes. Therefore the old constructor has been deprecated in favour of one taking an additional c.t.x.converters.ConverterLookup that has to be passed to the new parent.

Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.

Version 1.2.2

Released May 24, 2007.

Note, that next version of XStream will behave slightly different by default. XStream emits all fields in declaration order like Java serialization. But in contrast to Java it will omit the fields of parent classes last while Java serialization emits them first. This makes it difficult to match a given XML schema that defined inherited types or leads sometimes to obscure initialization problems. However, XStream itself will not be affected by the changed order of elements in the XML, any deserialization of current XML representations will work fine. Anyway we will provide with XStream 1.3 a FieldKeySorter implementation that mimics the old behaviour. In the meanwhile you can enforce the new field sorting by installing the NaturalFieldKeySorter.

Major changes

  • XSTR-391, Support for writing (and reading) JSON by the new JettisonMappedXmlDriver (by Dejan Bosanac).
  • New FieldKeySorter interface allows a custom sort order of the XML elements.
  • XSTR-68 and XSTR-210, OmitField is now respected at deserialization to ignore removed fields.

Minor changes

  • XSTR-387, Fix aliasing of inherited fields.
  • XSTR-395, Fix StringConverter allocating PermGen space.
  • XSTR-368, @XStreamConverter converters should be cached inside the AnnotationReflectionConverter.
  • XSTR-392, @XStreamOmitField can be used to omit fields from the resulting XML (contributed by Chung-Onn Cheong).
  • XSTR-371, Fix JSONWriter that omits a closing bracket for for fields with null value.
  • XSTR-398, DomDriver ignores given XmlFriendlyReplacer.
  • XSTR-370, Buildable with JDK 6, fix FontConverter for JDK 6.
  • XSTR-382, Support hex and octal number values.
  • DateConverter did not respect change in TimeZone after first usage.
  • XSTR-375, Support for aliasing native types.
  • XSTR-243 again, XML elements for transient fields are now ignored completely at deserialization.
  • Release unused object references to keep memory print low.
  • Support for AWT and SQL is now optional: XStream now works on embedded virtual machines lacking such APIs (by Nicolas Gros d’Aillon).
  • Support raw bytes read from the ObjectInputStream.
  • XSTR-373, Support for Hitachi JVM (tested by Yuji Yamano).
  • XSTR-378 and XSTR-379, Fix TextAttributeConverter and EnumSetConverter failing on Apache Harmony.
  • XSTR-363, Support of native field order i.e. fields are processed in declaration order base classes first.
  • XSTR-320, Static field in child may hide non-static field in parent.

API changes

  • XSTR-365, Multiple implicit collections with annotations. Deprecated @XStreamImclicitCollection in favour of @XStreamImplicit declared at field level.

Version 1.2.1

Released November 11, 2006.

Major changes

  • Introduced DocumentWriter interface and generalized functionality for all writer implementations creating a DOM structure (DOM4J, DOM, JDom, Xom, Xpp3Dom).
  • Refactored build system to use Maven 2. Ant still supported on XStream Core.
  • Created separate XStream Benchmark module

Minor changes

  • XSTR-346, XStream.getClassMapper() does not return a ClassMapper for the current Mapper.
  • Fix problem with fields containing a double underscore.
  • XSTR-345, Dom4JWriter adds up attributes.
  • XSTR-336, XStream fails to reference an implicit element.
  • XSTR-337, Annotation cycle bug.
  • Fix packaging error for the resulting jar building with Maven2.
  • XSTR-339, NPE for attribute null values.
  • XSTR-338, NPE in JSON writer for converters using non-extended HierarchicalStreamWriter.
  • XSTR-357, Fix escaping of values in JSON writer.
  • XSTR-356, Fix unmarshaling error for fields containing proxies.
  • XSTR-349, Fix backward compatibility of Dom4jWriter.
  • XSTR-309, More versatile boolean conversion options (contributed by David Blevins).
  • Add XStream.getReflectionProvider() to retrieve ReflectionProvider in use.
  • XSTR-358, @XStreamConverter annotation does not call converter constructor.
  • Website generated using XSite

API changes

  • Deprecate JDomWriter.getResult() in favour of DocumentWriter.getTopLevelNodes().
  • Deprecate ThreadSafeSimpleDateFormat, since this is an internal helper and not part of XStream API.

Version 1.2

Released August 18, 2006.

Major changes

  • XSTR-269, Using attributes for fields (contributed by Paul Hammant and Ian Cartwright).
  • Aliasing of arbitrary attributes.
  • XSTR-50, XStream can now serialize another XStream instance.
  • XSTR-227, XStream has now the XStreamer, that serializes an object together with its XStream instance.
  • XSTR-278, AnnotationConverter for fields (contributed by Guilherme Silveira).
  • XSTR-256, PureJavaReflectionProvider supports now final fields starting with JDK 1.5
  • XSTR-258, Any Collection type can now be declared implicit, the default implementation will be respected for unmarshaling.
  • XSTR-88, XStream can now write all references as absolute XPath expression.
  • XSTR-62 and XSTR-211, New SingeValueConverter allows light weight converters if the value can be represented by a unique string.
  • Aliasing of classes of a specific type.
  • XSTR-239, Support for certain types of proxies generated with the CGLIB Enhancer.
  • XSTR-90 and XSTR-311, Support for BEA JRockit starting with R25.1.0 (contributed by Henrik Ståhl of BEA).

Technology preview

  • Experimental binary reader and writer.
  • Experimental HierarichicalStreamCopier allows streams to be copied from one format to another without the overhead of serialization.
  • Experimental JSON support allows streams to be copied from one format to another without the overhead of serialization (contributed by Paul Hammant).

Minor changes

  • XSTR-266, XStream fails to serialize elements of a unserializable class, that is a base class of a derived class
  • XSTR-236, Priority constants for converter registration are now public
  • XSTR-215, XStream writes now fields in declaration order even for JVMs reporting them in reverse order like IBM JDK.
  • XSTR-276 and XSTR-283, XStream does no longer attempt to create references to implicit element.
  • XSTR-244, Closing a Writer can now be done twice, but any write attempt will later on fail.
  • XSTR-243, Transient fields were unmarshalled from XML.
  • XSTR-250, Providing a mapper to the XStream constructor will no longer result in a NPE.
  • XSTR-281, After registering a new converter, the internal converter cache is now cleared.
  • XSTR-284, XStream checks the object returned by a converter for compatibility.
  • XStream no longer fails serializing a Throwable without cause when no references shall be written.
  • Converter for java.awt.font.TextAttribute.
  • Converter for java.nio.charset.Charset.
  • XSTR-286, XStream detects impossible self serialization and throws now an appropriate ConversionException.
  • XSTR-291, XomDriver implementation added.
  • XSTR-299, Fix for implicit collections with items using the same name as the field name of the underlying collection.
  • XSTR-245, Broken XML with custom serialization in certain cases (patch contributed by Cyrille Le Clerc).
  • XSTR-304, Bad handling of repairing namespace flag for StaxDriver (patch contributed by John Kristian).

API changes

  • XSTR-252, Refactored support for XML friendly character mapping.
  • XSTR-69, Refactored ReflectionConverter allows simpler subclassing.
  • Unmarshalling context has now an overloaded version of the method convertAnother to provide the Converter directly.
  • Deprecate ClassMapper for Mapper. All methods with a ClassMapper parameter have now a duplicate taking only a Mapper. The variant with the ClassMapper is deprecated.
  • Deprecate c.t.x.alias.CannotResolveClassException for c.t.x.mapper.CannotResolveClassException.
  • Deprecate NameMapper (was not used within XStream anymore anyway).
  • Deprecate constructor of DefaultMapper taking an alternative name for the class attribute. Use the aliasAttribute method.
  • Deprecate attributeForImplementationClass, attributeForClassDefiningField, attributeForReadResolveField, and attributeForEnumType in favour of the generalized aliasForAttribute in the Mapper interface.
  • Removed all deprecated stuff from 1.1.x and 1.0.x
  • XSTR-211, A lot of existing (basic) Converters have been refactored to use the new SingleValueConverter interface.
  • Dom4JWriter uses now a DocumentFactory and a XMLWriter as constructor arguments.

Version 1.1.3

Released January 13, 2006.

Major changes

  • Added XStream.toXML(OutputStream) and XStream.fromXML(InputStream).
  • Ability to prevent fields from being serialized by calling XStream.omitField() or by implementing Mapper.shouldSerializeMember().
  • Added Converter for Enum, EnumMap and EnumSet
  • XSTR-186, Added BeanConverter (contributed by Andrea Aime)
  • XSTR-246, Added ISO8601SqlTimestampConverter (contributed by Cheong, Chung-Onn)
  • Added ISO8601GregorianCaledarConverter
  • XSTR-215, Fixed support for IBM JVM (contributed by Gabor Liptak)
  • Enhanced mode support for Blackdown JDK
  • XSTR-265, support for javax.security.auth.Subject
  • XSTR-233, support for Integer[] arrays

Minor changes

  • Remove unnecessary PrintWriter wrapper in default writers (pointed out by Mathieu Champlon)
  • Bugfix: EnumSet converter can now deal with empty sets (contributed by Baba Buehler)
  • Update ISO8601DateConverter to use Joda 1.0
  • XSTR-242, GregorianCalenderConverter saves now the timezone
  • XSTR-247, ISO8601DateConverter now independent on timezone
  • XSTR-263, Circular references with Externalizable objects fail

API changes

  • None.

Version 1.1.2

Released April 30, 2005. Most popular feature requests implemented. Java 5 Enum support. Serialization of JavaBeans using accessors. Aliasing of fields. StAX integration, with namespaces. Improved support on JDK 1.3 and IBM JDK.

Major changes

  • XSTR-186, Option to serialize JavaBeans using public accessors, rather than private fields (contributed by Andrea Aime).
  • Ability to alias fields as well as classes, using XStream.addFieldAlias().
  • XSTR-70, XSTR-204 Support for JDK 5 enums (contributed by Eric Snell and Bryan Coleman).
  • XSTR-206 Clean representation of JDK 5 EnumMap and EnumSet.
  • XStream can now be built using JDK 1.3 (previously it required JDK 1.4 to compile, but 1.3 to run).
  • XSTR-215, Enhanced mode is now supported on the IBM 1.4 JDK.
  • The default HierarchicalStreamWriter implementation is supplied by the HierarichicalStreamDriver (as well as the reader).

Minor changes

  • XSTR-104 HierarchicalStreamReader now exposes all available attributes to the Converter implementations (contributed by Trygve Laugstol).
  • Bugfix: Externalizable deserialization supported for objects not at the root of tree.
  • JavaMethodConverter handles non public methods/constructors (contributed by Kevin Ring).
  • PropertiesConverter also serializes default properties, if present (contributed by Kevin Ring).
  • Bugfix: In some cases, XppReader and StaxReader would get confused when calling hasMoreChildren() and getValue() on the same node.
  • XSTR-217, ISO8601DateConverter now requires joda-time-1.2.1
  • PrettyPrintWriter and CompactWriter may have their text/attribute escaping rules customized by overriding writeText() and writeAttributeValue().

API changes

  • HierarchicalStreamDriver implementations now require a createWriter() method. The simplest implementation is to return a new PrettyPrintWriter.
  • Introduced ReaderWrapper/WriterWrapper classes to make it easier to wrap (decorate) HierarchicalStreamReader/Writer instances.

Version 1.1.1

Released March 7, 2005. Mostly bugfixes and minor feature enhancements.

Major changes

  • Converters can be registered with a priority, allowing more generic filters to handle classes that don’t have more specific converters.
  • Converters can now access underlying HierarchicalStreamReader/Writer implementations to make implementation specific calls.
  • Improved support for classes using ObjectInputFields to follow the serialization specification.
  • XSTR-179 Support for ObjectInputStream.registerValidation(ObjectInputValidation).
  • XSTR-178 Serialized inner class now maintains reference to outer class.
  • XSTR-199 Default ClassLoader may be changed using XStream.setClassLoader().

Minor changes

  • Bugfix: Thread context classloader is loaded by the correct thread. (Thanks to Padraic Renaghan for pointing this out).
  • Bugfix: Default implementations of aliased classes were not being deserialized by SerializableConverter.
  • Bugfix: XSTR-180 Serializable objects support defaultReadObject() even when no default fields available.
  • Bugfix: For serialized objects class hierarchy is serialized starting with superclass (as per Java Object Serialization).
  • Bugfix: readObject() is now called for classes containing only transient fields.
  • Bugfix: Order of fields are maintained when calling ObjectOutputStream.putFields().
  • Bugfix: FontConverter extended to support FontUIResource which does some awkward native calls.
  • Bugfix: Deserialization of very complicated graphs (such as Swing components) sometimes resulted in broken object references. Now fixed.
  • Bugfix: XSTR-188 Classes that use readResolve()/writeReplace() can now return different types.
  • Bugfix: XSTR-185, XSTR-195 Support for loading of array classes for classes that have not yet been loaded. (Thanks to Henri Tremblay and Simon Daniel)
  • Bugfix: XSTR-190 PrettyPrintWriter and CompactWriter escape characters in XML attributes.
  • Bugfix: XSTR-176, XSTR-196 The XStream ObjectInputStream and ObjectOutputStream implementations now propegate the flush() and close() events to the underlying streams.
  • Bugfix: XSTR-192 Implicit collection mappings are now supported in inheritance hierarchies.

API changes

  • ClassMapper is now deprecated. Replaced with MapperWrapper.
  • HierarchicalStreamWriter implementations must now implement close(), flush() and underlyingWriter().
  • HierarchicalStreamReader implementations must now implement close() and underlyingReader().

Version 1.1

Released January 15, 2005. Focus on support for objects defining custom serialization using the standard Java serialization mechanism.

Major changes

  • Provides drop in replacement for ObjectInputStream and ObjectOutputStream, using XStream.createObjectInputStream() and XStream.createObjectOutputStream() and XStream.createObjectInputStream(). This provides support for streaming objects.
  • Support for objects that specify their own serialization schemes by implementing readObject() and writeObject() (as in Java serialization spec). This includes support for ObjectInputStream.getFields() and ObjectOuputStream.putFields().
  • Support for objects to serialize other objects to the stream by implementing writeReplace() (as in Java serialization spec).
  • Support for any object that performs custom serialization by implementing java.io.Externalizable (as in Java serialization spec).
  • Implicit collections can be specified for classes, allowing the element wrapping the collection to be skipped.
  • New writer implementations to allow XStream to serialize directly to a SAX stream or TrAX pipeline.
  • The MarshallingContext and UnmarshallingContext interfaces now extend DataHolder, allowing arbitrary data to be stored by the user whilst walking the object graph and passed around to Converters. DataHolders can also be passed into XStream from the outside.
  • Includes new DomWriter implementation to serialize directly to a W3C DOM tree (to complement the existing DomReader).
  • Better support for instantiating objects on non Sun 1.4+ JVMs, including non-public constructors, private static inner classes and ANY class that implements java.io.Serializable.
  • DOM, DOM4J, JDOM, XOM, Electric-XML, SAX, STAX
  • Specific ClassLoaders can be passed into XStream, to allow for greater compatibility in J2EE containers.
  • Ability to change the default converter
  • Added optional ISO8601DateConverter for full ISO8601 date format support. The converter is not registered by default as it requires the joda-time dependency (http://joda-time.sf.net). To use, ensure joda-time is in classpath and register explicitly.
  • Enhanced mode is now supported on the Apple 1.4 JDK.

Minor changes

  • PrettyPrintWriter only flushes stream when necessary - large performance improvement for serialization.
  • Added XStream.fromXml(xml, root) convenience methods for deserializing into an existing root object.
  • JDK 1.3 compatibility: Added mechanism for accessing nested exception.
  • JDK 1.3 compatibility: GregorianCalendarConverter only calls Calendar.getTimeInMillis() the JDK supports it.
  • Bugfix: All caches are now synchronized - there were some thread safety issues.
  • Bugfix: Only immutable basic types will have references ignored in XML (for clarity).
  • Bugfix: Class names can contain underscores.
  • Bugfix: Support for ‘\0’ char.
  • Bugfix: PropertyConverter no longer attempts to serialize subclasses of Properties.
  • Bugfix: JVM detection uses system properties, which is more accurate than searching the classpath.

API changes

  • XStream.addDefaultCollection() has been deprecated. Use XStream.addImplicitCollection() instead.

Version 1.0.2

Released August 7, 2004. Focus on improving the converters bundled with XStream to support a wider range of types.

Major changes

  • XML elements are written in order they are defined in class, rather than alphabetical.
  • Converters for java.io.File, java.sql.Timestamp, java.awt.Color, and dynamic proxies are now registered by default.
  • EncodedByteArrayConverter is now registered by default and uses a single Base64 string to store the contents of a byte[]. This now works on all JVMs as it no longer relies on Sun specific classes. This converter will also unmarshal byte[] that have been serialized without it, for backwards compatability.
  • New converters for java.sql.Time, java.sql.Date, java.util.Locale, java.util.Currency, java.util.Calendar and java.awt.Font.
  • All caching is done in XStream instance instead of statics, allowing applications that use hot redeployment of classes to use XStream in a parent classloader.
  • XStream will fail fast if a field value is defined more than once in XML when deserializing.

Minor changes

  • The <entry> element used in Maps can now be specified by creating an alias for java.util.Map.Entry.
  • Bugfix: Fields with characters that generate invalid XML (such as $ signs) are now escaped.
  • Bugfix: Pre-instantiated objects can be unmarshalled through multiple levels.

API changes

  • None.

Version 1.0.1

Released May 30, 2004. Misc features and bugfixes.

Major changes

  • Support for multidimensional arrays.
  • Object with readResolve() method will be treated the same way native serialization treats them.

Minor changes

  • New converters for Throwable and StackTraceElement that retain stack trace (JDK 1.4 only)
  • Bugfix: System.identityHashCode() is not guaranteed to be unique. Ensure reference checking is used as well.
  • Bugfix: Allows user classes to be defined in WEB-INF/classes in Servlet environments. Tries to use context classloader if available.
  • Support for java.util.Currency (through readResolve()).
  • Instances of Jakarta Commons Lang Enum are now reused (through readResolve()).
  • Bugfix: JavaClassConverter handles primitive type classes (contributed by Matthew Sandoz).

API changes

  • Additional method: ConverterLookup.defaultConverter(). Custom implementations of this class should implement this new method.

Version 1.0

Released May 14, 2004. Focusses on finalizing the API for 1.0 release.

Major changes

  • Supports fields of same name, hidden by inheritance.

Minor changes

  • JavaDoc for most important parts of API.

API changes

  • The ReflectionConverter and ReflectionProviders have had an overhaul to support hidden fields. Most methods now take an extra argument to specify which class a field is declared in.

Version 1.0 (release candidate 1)

Released May 9, 2004. Focusses on finalizing the API for 1.0 release.

Major changes

  • JDK 1.3 compatibility.
  • Informative error messages.
  • Defaults to using faster XPP based parser.
  • Serializes final field under JDK 1.4.
  • Fail fast when trying to serialize final field if not Sun 1.4 JRE.

Minor changes

  • Misc performance improvements.
  • Converters for TreeMap and TreeSet that store the Comparator.

API changes

  • Default constructor for XStream class uses XppDriver instead of DomDriver. To use DomDriver, explicitly pass it in to the constructor.
  • Exception is thrown if trying to serialize an object that contains a final field if not Sun 1.4 JRE.

About XStream version numbers…

Version 0.6

Released May 7, 2004. Focusses on providing full object graph support.

Major changes

  • None.

Minor changes

  • Bugfix: Objects that had no children could not be derefenced properly (thanks to Brian Slesinsky and Nick Pomfret).
  • Bugfix: DateConverter is now thread safe.
  • Optimization: String instances are reused as much as possible.
  • Converters for BigInteger and BigDecimal.
  • IntConverter now recognises hexadecimal and octal notations (thanks to Konstantin Pribluda).

API changes

  • None.

Version 0.6 (release candidate 1)

Released April 19, 2004. Focusses on providing full object graph support.

Major changes

  • Full support for object graphs, including duplicate references of same object and circular references.
  • References can be identified using XPath (default), unique-IDs or disabled.

Minor changes

  • Release includes Ant build file.
  • Converters for non standard collections such as Collections.EMPTY_LIST, syncronizedList(), unmodifiableMap(), etc.
  • Converter for nulls.
  • Converter for dynamic proxies.
  • Converter for java.net.URL.
  • Converters for java.util.LinkedHashMap and java.util.LinkedHashSet.
  • Converters for java.lang.reflect.Method and java.lang.reflect.Constructor.
  • If duplicate reference support is disabled and a circular reference is encountered, an exception will be thrown.

API changes

  • None.

Version 0.5

Released March 8, 2004. Focussed on performance.

Major changes

  • Massive performance improvements. Up to 3 times faster for serialization and 22 times faster for deserialization!
  • Non-DOM building pull parser based reader. Results in much smaller memory footprint, particularly when deserializing large object models.

Minor changes

  • Misc performance improvements.
  • Misc bugfixes.
  • Alternate encodings can be used with DomDriver.

API changes

  • Renamed XMLReader/Writer to HierarchicalStreamReader/Writer as XStream is not actually coupled to serializing just to XML.
  • Cleaned up the public API.
  • Moved internal XStream implementation classes to core package.
  • Misc package/class renames to make more sense. Dumped lots of dead code.

Version 0.4

This version was never publicly released. All changes were made available in 0.5. Focussed on making it easier to create custom converters.

Major changes

  • Overhaul of interface for Converters. Makes Converters much cleaner to write.

Minor changes

  • Added custom converters for java.io.File, java.util.Properties, java.util.Vector, java.util.Hashtable, java.util.BitSet byte[] (Base64 encoded), char[].
  • Misc bugfixes.

API changes

  • New interface to be implemented by custom converters.

Version 0.3

Released January 1, 2004.

Major changes

  • Added ElementMapper interface and default implementations to allow fine grained control over element name to class mapper operations.
  • Added an XPP based reader and writer that uses a pull-parser to create a lightweight DOM tree.

Minor changes

  • Added XStream.fromXML(XMLReader xmlReader,Object root) method to allow the population of an object graph starting with a live object root.
  • Added XMLReader.peek() method to allow access to the underlying hierarchical object being unmarshalled.

API changes

  • Aligned the the methods in XStream to use the specified ObjectFactory in the constructor instead of creating a SunReflectionObjectFactory.

Older versions

Changes in XStream prior to version 0.3 were not logged.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907