Hello Alvaro, Alvaro wrote:
> Hi, > > I found that using the DynamicProxyConverter can be a security issue that > can lead to remote code execution. Can you elaborate a bit? > I dont know if it is possible to unregister it No. > as I can see no > unregisterConverters method in the XStream class For an existing XStream instance you can only register other converters with same or higher priority that claim to handle the same types. As alternative you might provide a ConverterLookup as constructor parameter that contains already all supported converters and a ConverterRegistry that actually does nothing. Another alternative is to overwrite XStream's setupConverter method. > but I would like to use > XStream SpringOXM wrapper for a RESTFul API, so I would like to unregister > it using the SpringOXM wrapper, is it possible? Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how you configure it to use either different constructor parameters or an instance of a derived XStream type. Cheers, Jörg --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email