activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-6077) Better configuration of restricted classes for clients
Date Mon, 14 Dec 2015 22:21:46 GMT

    [ https://issues.apache.org/jira/browse/AMQ-6077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15056826#comment-15056826
] 

Timothy Bish commented on AMQ-6077:
-----------------------------------

The problem appears to be in the ActiveMQObjectMessage when used inside the broker for the
STOMP transformations.  the getObject method overrides the trusted packages in the ClassLoadingAwareObjectInputStream
with it's own value, which by default is empty and negates the defaults in the ClassLoadingAwareObjectInputStream.
 

{code}
    @Override
    public Serializable getObject() throws JMSException {
        if (object == null && getContent() != null) {
            try {
                ByteSequence content = getContent();
                InputStream is = new ByteArrayInputStream(content);
                if (isCompressed()) {
                    is = new InflaterInputStream(is);
                }
                DataInputStream dataIn = new DataInputStream(is);
                ClassLoadingAwareObjectInputStream objIn = new ClassLoadingAwareObjectInputStream(dataIn);
                objIn.setTrustedPackages(trustedPackages);  // FIXME - Inside the Broker,
this ArrayList is empty.
                objIn.setTrustAllPackages(trustAllPackages);
                try {
                    object = (Serializable)objIn.readObject();
                } catch (ClassNotFoundException ce) {
                    throw JMSExceptionSupport.create("Failed to build body from content. Serializable
class not available to broker. Reason: " + ce, ce);
                } finally {
                    dataIn.close();
                }
            } catch (IOException e) {
                throw JMSExceptionSupport.create("Failed to build body from bytes. Reason:
" + e, e);
            }
        }
        return this.object;
    }
{code}


> Better configuration of restricted classes for clients
> ------------------------------------------------------
>
>                 Key: AMQ-6077
>                 URL: https://issues.apache.org/jira/browse/AMQ-6077
>             Project: ActiveMQ
>          Issue Type: Improvement
>    Affects Versions: 5.13.0
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.12.2, 5.13.1, 5.14.0
>
>
> [AMQ-6013] introduces the checks on the classes that are allowed to be serialized through
ObjectMessages. The original implementation was designed to protect the broker, so system
property configuration was the easiest solution.
> This change affect the clients that uses ObjectMessages.getObject() method. We need to
provide a better way of configuring this for clients. My initial idea is that we should provide
a configuration on ActiveMQConnectionFactory and ActiveMQComponent classes.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message