When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write upor another one.

在处理安全问题时，我不会掉以轻心。首先，人们会了解问题的严重性，这里有一篇很好的文章或其他文章。

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

然后找出人们如何推荐解决方案。最好的起点是从 xstream 网站本身。有一个示例，您可以将其用作xstream security page上的起点。

This would be my set up which basically allows most of your code.

这将是我的设置，它基本上允许您的大部分代码。

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

然而，在深入研究他们的源代码之后，这是我的看法：

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

所以基本上，一旦升级到 1.5，您只需要一行。

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

请注意，您可能需要更多通配符来适应您的应用程序反序列化场景。恕我直言，这不是一个一刀切的答案，而是一个很好的起点。

I had the same "problem" and solved it by allowing the relevant types:

我遇到了同样的“问题”，并通过允许相关类型解决了它：

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

也许这对您的情况也有帮助。

Good luck!

祝你好运！

It also works by specifying an all-inclusive pattern for allowed classes:

它还通过为允许的类指定全包模式来工作：

xstream.allowTypesByRegExp(new String[] { ".*" });