public class XsteamUtil { public static Object toBean(Class<?> clazz, String xml) { Object xmlObject = null; XStream xstream = new XStream(); //XStream.setupDefaultSecurity(xstream); //Class<?>[] classes = new Class[] { UnSubscribeV2Rsp.class, UsedCDRAuthReq.class }; //xstream.allowTypes(classes); xstream.processAnnotations(clazz); xstream.autodetectAnnotations(true); //xstream.setClassLoader(UnSubscribeV2Rsp.class.getClassLoader()); xmlObject= xstream.fromXML(xml); return xmlObject; } }
异常 1:
Security framework of XStream not initialized, XStream is probably vulnerable.
意思是:xstream 的安全框架没有初始化,xstream 容易受攻击。
解决方法:xStream对象设置默认安全防护,同时设置允许的类
XStream.setupDefaultSecurity(xstream); //UnSubscribeV2Rsp ,UsedCDRAuthReq (自己需要转换的JavaBean) Class<?>[] classes = new Class[] { UnSubscribeV2Rsp.class, UsedCDRAuthReq.class }; xstream.allowTypes(classes);
异常 2: java.lang.ClassCastException: (明明类型一样,报转换异常)
在SpringBoot项目中,使用Xstream反序列化xml成实体类时,会发生明明是同种类型,在实际使用时却出现java.lang.ClassCastException的异常。
原因
因为springboot项目中不是使用的默认classloader。
解决方法
手动重设xtream的classloader
xstream.setClassLoader(UnSubscribeV2Rsp.class.getClassLoader());
加上解决问题:
public class XsteamUtil { public static Object toBean(Class<?> clazz, String xml) { Object xmlObject = null; XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); Class<?>[] classes = new Class[] { UnSubscribeV2Rsp.class, UsedCDRAuthReq.class }; xstream.allowTypes(classes); xstream.processAnnotations(clazz); xstream.autodetectAnnotations(true); xstream.setClassLoader(UnSubscribeV2Rsp.class.getClassLoader()); xmlObject= xstream.fromXML(xml); return xmlObject; } }