Clear XStream default whitelist

pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java

@@ -15,13 +15,17 @@
  */
 package ro.pippo.xstream;
 
-import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.security.NoTypePermission;
 import org.kohsuke.MetaInfServices;
 import ro.pippo.core.Application;
 import ro.pippo.core.ContentTypeEngine;
 import ro.pippo.core.HttpConstants;
+
+import com.thoughtworks.xstream.XStream;
 import ro.pippo.core.util.WhitelistObjectInputStream;
 
+import java.util.regex.Pattern;
+
 /**
  * An XmlEngine based on XStream.
  *
@@ -41,17 +45,17 @@ public String getContentType() {
 
     private XStream xstream() {
         XStream xstream = new XStream();
-
         // allow annotations on models for maximum flexibility
         xstream.autodetectAnnotations(true);
-
         // prevent xstream from creating complex XML graphs
         xstream.setMode(XStream.NO_REFERENCES);
 
-        // setup security (see http://x-stream.github.io/security.html)
-        xstream.allowTypes(WhitelistObjectInputStream.getWhiteClassNames());
-        xstream.allowTypesByRegExp(WhitelistObjectInputStream.getWhiteRegEx());
+        // clear out existing permissions and set own ones
+        xstream.addPermission(NoTypePermission.NONE);
 
+        //setup security
+        xstream.allowTypes((String[]) WhitelistObjectInputStream.getWhitelistedClassNames().toArray());
+        xstream.allowTypesByRegExp((Pattern[]) WhitelistObjectInputStream.getWhitelistedRegExp().toArray());
         return xstream;
     }
 
@@ -60,7 +64,6 @@ public String toString(Object object) {
         return xstream().toXML(object);
     }
 
-    @SuppressWarnings("unchecked")
     @Override
     public <T> T fromString(String content, Class<T> classOfT) {
         return (T) xstream().fromXML(content);