In order to apply the instructions in this article, your Sonatype Nexus instance must be version 2.7.1 or greater, or be another Nexus 2.x version that is patched with a Sonatype modified XStream library.
The nexus.log file should contain one or more messages at WARN level from the com.thoughtworks.xstream.whitelist.TypeWhitelist logger with a message of the form:
Type NOT allowed: <type>
The Sonatype modified XStream library restricts unmarshalling of Object types to those known to be safe. The list of allowed types is known as the "xstream white list". This white list is constructed using a combination pre-allowed packages, classes, and regular expressions, and (optionally) user contributions to the white list. Configuration of the XStream object via standard mechanisms (aliases, annotations, etc.) will also add to the white list.
If you are using third party Nexus plugins (not authored by Sonatype) which require XStream unmarshalling you may find that these plugins can no longer unmarshal request payloads into Java Objects.
Resolving Unmarshalling Problems
Should unmarshalling errors occur in your custom nexus plugins, you must determine which classes need to be added to the XStream white list.
Look in the nexus.log file for Type NOT allowed: messages. The message should include information about the Object type attempting to be unmarshalled.
Once you have identified the types causing problems, verify that the request to unmarshal this type is a legitimate request. We advise contacting the plugin author for direct clarification.
Once the type is confirmed, edit $NEXUS_HOME/conf/nexus.properties ( for example nexus-professional-2.7.1-01/conf/nexus.properties ), using the below examples as a guide.
Example: Configuring a list of allowed types
# A comma delimited set of fully qualified class names. Inner classes may be specified using "$"
Example: Configuring entire packages of types
# A comma delimited set of Java packages. Note that sub-packages are not automatically included, "a.b.c" does not allow "a.b.c.d":
To apply changes to nexus.properties a restart is required.
Attention: Third-Party Plugin Authors
The information in this section is intended for authors of Nexus plugins.
Types are automatically white-listed when they are configured via xstream:
field aliases (allows class field defined-in)
package aliases (allows package)
default implementations (type and impl)
local converters (defined-in type type)
types explicitly processed for annotations
This will automatically white-list the "com.myco.MyType" type.
Users that otherwise have no configuration can allow their types by processing each type for annotations (even if these types do not have any annotations):