Tomcat prints ClassDefNotFoundError at line 277 in XStream.class where the JVM class is first statically instantiated. Further investigation shows that the JVM class fails in the static block when invoking final Field[] fields = AttributedString.class.getDeclaredFields(); which is not permitted by the default security properties of catalina in tomcat 5. Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662) at java.lang.Class.checkMemberAccess(Class.java:2125) at java.lang.Class.getDeclaredFields(Class.java:1714) at com.thoughtworks.xstream.core.JVM.<clinit>(JVM.java:27) A suggested fix is to catch AccessControlException and fall back to a default field order. I have not checked in what versions this is a problem, but I found it in 1.2.2. Thank you for a fantastic library!