About XStream

XStream is a simple library to serialize objects to XML and back again.

Features

• Ease of use. A high level facade is supplied that simplifies common use cases.
• No mappings required. Most objects can be serialized without need for specifying mappings.
• Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput.
• Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization.
• Requires no modifications to objects. Serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor.
• Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports circular references.
• Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML).
• Customizable conversion strategies. Strategies can be registered allowing customization of how particular types are represented as XML.
• Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
• Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.
• Alternative output format. The modular design allows other output formats. XStream ships currently with JSON support and morphing.

Typical Uses

• Transport
• Persistence
• Configuration
• Unit Tests

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

• Download it.
• Use it.

Latest News

November 7, 2024 XStream 1.4.21 released

This maintenance release addresses the security vulnerability CVE-2024-47072, when using the BinaryDriver to unmarshal a manipulated input stream causing a Denial of Service due to a stack overflow.

A new converter fir the WeakHashMap avoids the access to the ReentrantLock introduced with Java 19.

The release contains an optimization for the memory consumption.

View the complete change log and download.

Note, the next major release 1.5 will require Java 11.