XStream is a simple library to serialize objects to XML and back again.
- Ease of use. A high level facade is supplied that simplifies common use cases.
- No mappings required. Most objects can be serialized without need for specifying mappings.
- Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput.
- Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization.
- Requires no modifications to objects. Serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor.
- Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports circular references.
- Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML).
- Customizable conversion strategies. Strategies can be registered allowing customization of how particular types are represented as XML.
- Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
- Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.
- Alternative output format. The modular design allows other output formats. XStream ships currently with JSON support and morphing.
- Unit Tests
If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.
The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.
Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.
March 15, 2016 XStream 1.4.9 released
Maintenance release 1.4.9 of XStream with bug fixes eliminating XXE vulnerability and new benchmark module.
Several parsers were vulnerable by processing external entities (XXE vulnerability). This has been turned off as far as possible.
The home-grown benchmark module has been replaced using an implementation based on JMH.
XStream supports now java.nio.Path with a specialized converter.
Note, the next major release 1.5 will require Java 7.
Thanks to this impressive list of contributors.