XStream is a simple library to serialize objects to XML and back again.
- Ease of use. A high level facade is supplied that simplifies common use cases.
- No mappings required. Most objects can be serialized without need for specifying mappings.
- Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput.
- Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization.
- Requires no modifications to objects. Serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor.
- Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports circular references.
- Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML).
- Customizable conversion strategies. Strategies can be registered allowing customization of how particular types are represented as XML.
- Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
- Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.
- Alternative output format. The modular design allows other output formats. XStream ships currently with JSON support and morphing.
- Unit Tests
If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.
The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.
Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.
February 8, 2014 XStream 1.4.7 released
This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling. All previous versions are affected running at least Java 5.
XStream contains now a security framework to fine-control the unmarshalled types.
Note, the next major release 1.5 will require Java 6.
Thanks to this impressive list of contributors.