Author: buildbot
Date: Mon Nov 7 16:22:45 2016
New Revision: 1000678
Log:
Production update by buildbot for activemq
Modified:
websites/production/activemq/content/cache/main.pageCache
websites/production/activemq/content/objectmessage.html
Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/activemq/content/objectmessage.html
==============================================================================
--- websites/production/activemq/content/objectmessage.html (original)
+++ websites/production/activemq/content/objectmessage.html Mon Nov 7 16:22:45
2016
@@ -82,7 +82,7 @@
<tr>
<td valign="top" width="100%">
<div class="wiki-content maincontent"><p>Although ObjectMessage usage is
generally discouraged, as it introduces coupling of class paths between
producers and consumers, ActiveMQ supports them as part of the JMS
specification.</p><h2 id="ObjectMessage-Security">Security</h2><p>ObjectMessage
objects depend on Java serialization of marshal/unmarshal object payload. This
process is generally considered unsafe as malicious payload can exploit the
host system. That's why starting with versions <strong>5.12.2</strong>
and <strong>5.13.0</strong>, ActiveMQ enforces users to explicitly
whitelist packages that can be exchanged using ObjectMessages.</p><p>If you
need to exchange object messages, you need to add packages your applications
are using. You can do that with by
using <code>org.apache.activemq.SERIALIZABLE_PACKAGES</code> system
property, interpreted by the broker and the activemq client library. You can
add this system property to <code>ACTIVEMQ_OPTS</code> variable
in <code>${ACTIVEMQ_HOME}/bin/env</code> script.</p><p>For example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp</pre>
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp</pre>
</div></div><p>will add <code>com.mycompany.myapp</code> package to the list
of trusted packages. Note that other packages listed here are enabled by
default as they are necessary for the regular broker work. In case you want to
shortcut this mechanism, you can allow all packages to be trusted by using
<code>*</code> wildcard, like</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=*</pre>
</div></div><h3 id="ObjectMessage-Clients">Clients</h3><p>On the client side,
you need to have this same mechanism as malicious code can be deserialized on
<code>ObjectMessage.getObject()</code> call, compromising your application's
environment. You can use the same configuration mechanism on the broker and
configure trusted classes using system properties. However, this is usually not
convenient in the client applications, so in <strong>5.12.2</strong>
and <strong>5.13.1</strong> we introduced additional configuration
mechanism using <code>ActiveMQConnectionFactory</code>. There are two
additional methods defined:</p><ul><li>The <code>setTrustedPackages()</code>
method allows you to set the list of trusted packages you want to be to
unserialize, like</li></ul><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
