activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco de Abreu (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AMQ-6312) ObjectMessage's setTrustedPackages can only be applied via system property in resource adappter setting
Date Sun, 17 Jul 2016 00:48:20 GMT

    [ https://issues.apache.org/jira/browse/AMQ-6312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15381007#comment-15381007
] 

Marco de Abreu edited comment on AMQ-6312 at 7/17/16 12:48 AM:
---------------------------------------------------------------

You're able to use the following code in your onMessage as a *workaround* until this feature
is implemented:

{code}
	private void addTrustedPackages(Message jmsMessage) throws IllegalAccessException {
		final List<String> defaultTrustedPackages = (List<String>) FieldUtils.readField(jmsMessage,
"trustedPackages", true);
		
		ArrayList<String> newTrustedPackages = new ArrayList<>(defaultTrustedPackages);
		newTrustedPackages.addAll(TRUSTED_PACKAGES);
		
		FieldUtils.writeField(jmsMessage, "trustedPackages", newTrustedPackages, true);
	}
{code}

This code takes advantage of the fact that the trusted packages are stored in the _ActiveMQObjectMessage_.
An alternative would be to modify _ClassLoadingAwareObjectInputStream.trustedPackages_ but
this could result in reduced security for your whole application so rather stick to the first
method.



was (Author: marco de abreu):
You're able to use the following code in your onMessage as a *workaround* until this feature
is implemented:

{quote}
	private void addTrustedPackages(Message jmsMessage) throws IllegalAccessException {
		final List<String> defaultTrustedPackages = (List<String>) FieldUtils.readField(jmsMessage,
"trustedPackages", true);
		
		ArrayList<String> newTrustedPackages = new ArrayList<>(defaultTrustedPackages);
		newTrustedPackages.addAll(TRUSTED_PACKAGES);
		
		FieldUtils.writeField(jmsMessage, "trustedPackages", newTrustedPackages, true);
	}
{quote}

This code takes advantage of the fact that the trusted packages are stored in the _ActiveMQObjectMessage_.
An alternative would be to modify _ClassLoadingAwareObjectInputStream.trustedPackages_ but
this could result in reduced security for your whole application so rather stick to the first
method.


> ObjectMessage's setTrustedPackages can only be applied via system property in resource
adappter setting
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6312
>                 URL: https://issues.apache.org/jira/browse/AMQ-6312
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.13.3
>            Reporter: Patrik Dudits
>
> We're using ActiveMQ via resource adapter, and with upgrading post 5.12.0 we want to
handle the trusted packages configuration via resource adapter rather than via system properties.
> This approach is not supported at all, because:
> # {{ActiveMQResourceAdapter}} does not expose {{setTrustedPackages}}
> # {{ActiveMQManagedConnectionFactory}} does not expose {{setTrustedPackages}}
> # Neither {{ServerSessionImpl}}, {{ActiveMQSession}} or {{MessageEndpointProxy}} set
trusted packages on received {{ActiveMQObjectMessage}}
> The first two could be solved by adding the support into {{ActiveMQConnectionSupport}}
by adding a property and applying trustedPackages in {{createConnectionFactory(ActiveMQConnectionRequestInfo,
MessageActiveationSpec}}.
> However, for the third one I'm not sure on which level the change should be applied -
either session should be enforcing connection's trusted packages, or {{ServerSessionImpl}}
could do it in its {{beforeDelivery}} method. But I cannot think of use case where session
should not be handling this in first place. 
> Alternatively, {{ActiveMQObjectMessage}} could get the trusted packages list from its
connection, which guarantees that deserialization rules of the connection are always applied,
not only when {{ActiveMQConnectionConsumer}} is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message