• As Red Hat JBoss Fuse 6.3 use camel 2.17 version. There is a camel-xstream[1] component which has settings for permission handling. This is described in community doc[2] with subject Setting the type permissions of Xstream DataFormat.
• We should add this segment to doc[3] within subject CAMEL 2.17 MIGRATION ISSUES FOR JBOSS FUSE 6.3. We should add:

################################################
From Camel 2.16.1, 2.15.5, you can set XStream's type permissions to automatically allow or deny the instantiation of certain types.
The default type permissions setting used by Camel denies all types except for those from java.lang and java.util packages. This setting can be changed by setting System property org.apache.camel.xstream.permissions. Its value is a string of comma-separated permission terms, each representing a type being allowed or denied, depending on whether the term is prefixed with '' (note '' may be omitted) or with '-', respectively.
Each term may contain a wildcard character ''. For example, value "-,java.lang.,java.util." indicates denying all types except for java.lang.* and java.util.* classes. Setting this value to an empty string "" reverts to the default XStream's type permissions handling which denies certain blacklisted classes and allow others.
The type permissions setting can be extended at an individual XStream DataFormat instance by setting its type permissions property.

<dataFormats>
    <xstream id="xstream-default" 
             permissions="org.apache.camel.samples.xstream.*"/>

#################################################

[1]http://camel.apache.org/xstream.html
[2]http://camel.apache.org/xstream.html#XStream-SettingthetypepermissionsofXstreamDataFormat
[3]https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/migration_guide/camel_migration