activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r998607 - in /websites/production/activemq/content: cache/main.pageCache objectmessage.html
Date Fri, 30 Sep 2016 09:22:44 GMT
Author: buildbot
Date: Fri Sep 30 09:22:43 2016
New Revision: 998607

Log:
Production update by buildbot for activemq

Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/objectmessage.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/objectmessage.html
==============================================================================
--- websites/production/activemq/content/objectmessage.html (original)
+++ websites/production/activemq/content/objectmessage.html Fri Sep 30 09:22:43 2016
@@ -82,9 +82,9 @@
         <tr>
         <td valign="top" width="100%">
 <div class="wiki-content maincontent"><p>Although ObjectMessage usage is generally
discouraged, as it introduces coupling of class paths between producers and consumers, ActiveMQ
supports them as part of the JMS specification.</p><h2 id="ObjectMessage-Security">Security</h2><p>ObjectMessage
objects depend on Java serialization of marshal/unmarshal object payload. This process is
generally considered unsafe as malicious payload can exploit the host system. That's why starting
with versions <strong>5.12.2</strong> and&#160;<strong>5.13.0</strong>,
ActiveMQ enforces users to explicitly whitelist packages that can be exchanged using ObjectMessages.</p><p>If
you need to exchange object messages, you need to add packages your applications are using.
You can do that with by using&#160;<code>org.apache.activemq.SERIALIZABLE_PACKAGES</code>&#160;system
property of the broker. You can add this system property to <code>ACTIVEMQ_OPTS</code>
variable in <code>${ACTIVEMQ_HOME}/bin/env</code> scri
 pt.</p><p>For example:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES="java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp"</pre>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp</pre>
 </div></div><p>will add <code>com.mycompany.myapp</code> package
to the list of trusted packages. Note that other packages listed here are enabled by default
as they are necessary for the regular broker work. In case you want to shortcut this mechanism,
you can allow all packages to be trusted by using <code>*</code> wildcard, like</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES="*"</pre>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=*</pre>
 </div></div><h3 id="ObjectMessage-Clients">Clients</h3><p>On
the client side, you need to have this same mechanism as malicious code can be deserialized
on <code>ObjectMessage.getObject()</code> call, compromising your application's
environment. You can use the same configuration mechanism on the broker and configure trusted
classes using system properties. However, this is usually not convenient in the client applications,
so in <strong>5.12.2</strong> and&#160;<strong>5.13.1</strong>
we introduced additional configuration mechanism using <code>ActiveMQConnectionFactory</code>.
There are two additional methods defined:</p><ul><li>The <code>setTrustedPackages()</code>
method allows you to set the list of trusted packages you want to be to unserialize, like</li></ul><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">ActiveMQConnectionFactory
factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
 factory.setTrustedPackages(new ArrayList(Arrays.asList("org.apache.activemq.test,org.apache.camel.test".split(","))));</pre>



Mime
View raw message