| Although ObjectMessage usage is generally discouraged, as it introduces coupling of class paths between producers and consumers, ActiveMQ supports them as part of the JMS specification. Security ObjectMessage objects depend on Java serialization of marshal/unmarshal object payload. This process is generally considered unsafe as malicious payload can exploit the host system. That's why starting with version 5.13.0, ActiveMQ enforce users to explicitly whitelist packages that can be exchanged using ObjectMessages. If you need to exchange object messages, you need to add packages your applications are using. You can do that with by using org.apache.activemq.SERIALIZABLE_PACKAGES system property of the broker. You can add this system property to ACTIVEMQ_OPTS variable in ${ACTIVEMQ_HOME}/bin/env script. For example:
![]() Code Block |
-Dorg.apache.activemq.SERIALIZABLE_PACKAGES="java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp"
|
will add com.mycompany.myapp package to the list of trusted packages. Note that other packages listed here are enabled by default as they are necessary for the regular broker work. In case you want to shortcut this mechanism, you can allow all packages to be trusted by using * wildcard, like
![]() Code Block |
-Dorg.apache.activemq.SERIALIZABLE_PACKAGES="*"
|
Clients On the client side, you need to have this same mechanism as malicious code can be deserialized on ObjectMessage.getObject() call, compromising your application's environment. At this point the configuration mechanism is the same as on the broker, so you'll need to set appropriate system properties. There is an ongoing work in
![]() JIRA |
| server |
ASF JIRA |
| serverId |
5aa69414-a9e9-3523-82ec-879b028fb15b |
| key |
AMQ-6077 |
|
to improve this and make it configurable using ActiveMQConnectionFactory and Camel ActiveMQComponent objects. This will be documented in this area when finished. |
