joehni
commented
4 years ago Hi Johann,
actually I would have expected newer XStreams being faster. Especially if you compare the benchmarks from 1.4.9 to 1.4.10 you can see a significant performance boost for some cases.
So, how you you use XStream? Did you follow the performance advices in the FAQ? Which parser is in use?
The warning has nothing to do with performance. It simply tells you that you rely on XStream's internal black list for known types, that can be used for attacks. Better would be to use a white list for the types you want to handle. XStream 1.5.x will work with a white list and your application may no longer work unless you initialize the security framework then.
Regards, Jörg
The xstream library has been used for a very long time in the GATE software for (de)serialization and we changed our dependency from xstream 1.4.7 to 1.4.11.1 only recently.
After this we noticed a very severe performance degradation when loading data (deserializaing from XML to Java). For a particular set of test data on some particular machine the change is from around 130s to about 720s. Since it was not clear which version really introduced the slowdown I ran the benchmark when using the following xtream versions and got the following results:
So the main slowdown seemed to have happened going from version 1.4.9 to 1.4.10
So, based on the changes carried out in version 1.4.10, is this to be expected? Is it explainable? When I look at the change log, all I can find is a change to fix a performance degradation :)
Version 1.4.10 seems to be the first one that shows the warning message:
I could not find out where in the code this message actually comes from, but could it be related to the performance drop? Our software uses xstream to (de)serialize some data where the actual type is not known in advance, so we essentially ignored this warning for now.