This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 98c1be9c489d chore(docs): sync 4.18 and 4.14 upgrade guides with
backported entries (#22969)
98c1be9c489d is described below
commit 98c1be9c489df6dd575215718e9ebc9cfbd07e1c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Wed May 6 09:22:15 2026 +0200
chore(docs): sync 4.18 and 4.14 upgrade guides with backported entries
(#22969)
The camel-4x-upgrade-guide-4_18.adoc and camel-4x-upgrade-guide-4_14.adoc
files on main had drifted out of sync with their counterparts on the
camel-4.18.x and camel-4.14.x branches: backport PRs for CAMEL-23373
(camel-jms - Disable ObjectMessage by default) and CAMEL-23414
(camel-hazelcast - Allow customization of SerializationConfig on managed
Hazelcast instances) updated only the maintenance branches.
Add the missing camel-jms and camel-hazelcast entries to both guides on
main, mirroring the prose already present on the 4.18.x and 4.14.x
branches. Existing camel-core entries are preserved. Section titles on
main are kept as-is; only fixed the typo "4.18.8" -> "4.14.8" in the
4.14 guide.
camel-sjms / camel-sjms2 (CAMEL-23409) is intentionally not included
yet: the 4.18.x backport (#22968) is still open, and this PR will be
followed up once that lands.
Signed-off-by: Andrea Cosentino <[email protected]>
---
.../ROOT/pages/camel-4x-upgrade-guide-4_14.adoc | 56 +++++++++++++++++++++-
.../ROOT/pages/camel-4x-upgrade-guide-4_18.adoc | 54 +++++++++++++++++++++
2 files changed, 109 insertions(+), 1 deletion(-)
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
index 8da91c32dcf7..09654549927d 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
@@ -11,12 +11,66 @@ Note that manual migration is still required.
See the xref:camel-upgrade-recipes-tool.adoc[documentation] page for details.
====
-== Upgrading from 4.14.3 to 4.18.8
+== Upgrading from 4.14.3 to 4.14.8
=== camel-core
The `org.apache.camel.support.DefaultHeaderFilterStrategy` changed default
setting for lowercase from `false` to `true`.
+=== camel-jms
+
+JMS `ObjectMessage` support is now disabled by default. Java object
serialization is a recurring source
+of security issues, and Camel JMS routes rarely use `ObjectMessage` in
practice. The component will now
+refuse to create or read `jakarta.jms.ObjectMessage` instances unless the new
`objectMessageEnabled`
+option is explicitly set to `true`.
+
+This affects the following endpoint/component options that rely on
`ObjectMessage` internally:
+
+* `jmsMessageType=Object` (or sending a `Serializable` body that is
auto-detected as `Object`)
+* `transferExchange=true`
+* `transferException=true`
+* receiving a JMS `ObjectMessage` produced by an external sender
+
+To restore the previous behavior, enable the option at the component or
endpoint level:
+
+[source,properties]
+----
+camel.component.jms.objectMessageEnabled=true
+----
+
+Or, on a single endpoint:
+
+[source,text]
+----
+jms:queue:foo?objectMessageEnabled=true
+----
+
+=== camel-hazelcast
+
+Hazelcast instances created and managed by Camel (when no user-supplied
+`Config` or `HazelcastInstance` is provided) now apply a default
+`JavaSerializationFilterConfig` on the `SerializationConfig` of the
+`Config` built by Camel. The default whitelists the class name prefixes
+`java.`, `javax.`, `org.apache.camel.` and blacklists `java.net.`.
+
+This affects:
+
+* `camel-hazelcast` component endpoints when neither `hazelcastInstance`,
+`hazelcastConfigUri`, nor a referenced `Config` is supplied
+* `HazelcastAggregationRepository` and `HazelcastIdempotentRepository`
+when no `hazelcastInstance` is supplied
+* `HazelcastUtil#newInstance()` (no-arg)
+
+A user-supplied `JavaSerializationFilterConfig` (set on the
+`SerializationConfig` of a `Config` provided via `hazelcastConfigUri`, a
+referenced `Config` bean, or already wired into a pre-built
+`HazelcastInstance`) is respected and is not overwritten.
+
+Applications that store classes outside the default whitelist on a
+Hazelcast topic, queue, map, list, set, or in one of the repositories
+above must provide their own `Config` with a
+`JavaSerializationFilterConfig` configured for their class names.
+
== Upgrading from 4.14.2 to 4.14.3
=== camel-tika
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
index d08aaf07f892..f503a01901c3 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
@@ -17,6 +17,60 @@ See the xref:camel-upgrade-recipes-tool.adoc[documentation]
page for details.
The `org.apache.camel.support.DefaultHeaderFilterStrategy` changed default
setting for lowercase from `false` to `true`.
+=== camel-jms
+
+JMS `ObjectMessage` support is now disabled by default. Java object
serialization is a recurring source
+of security issues, and Camel JMS routes rarely use `ObjectMessage` in
practice. The component will now
+refuse to create or read `jakarta.jms.ObjectMessage` instances unless the new
`objectMessageEnabled`
+option is explicitly set to `true`.
+
+This affects the following endpoint/component options that rely on
`ObjectMessage` internally:
+
+* `jmsMessageType=Object` (or sending a `Serializable` body that is
auto-detected as `Object`)
+* `transferExchange=true`
+* `transferException=true`
+* receiving a JMS `ObjectMessage` produced by an external sender
+
+To restore the previous behavior, enable the option at the component or
endpoint level:
+
+[source,properties]
+----
+camel.component.jms.objectMessageEnabled=true
+----
+
+Or, on a single endpoint:
+
+[source,text]
+----
+jms:queue:foo?objectMessageEnabled=true
+----
+
+=== camel-hazelcast
+
+Hazelcast instances created and managed by Camel (when no user-supplied
+`Config` or `HazelcastInstance` is provided) now apply a default
+`JavaSerializationFilterConfig` on the `SerializationConfig` of the
+`Config` built by Camel. The default whitelists the class name prefixes
+`java.`, `javax.`, `org.apache.camel.` and blacklists `java.net.`.
+
+This affects:
+
+* `camel-hazelcast` component endpoints when neither `hazelcastInstance`,
+`hazelcastConfigUri`, nor a referenced `Config` is supplied
+* `HazelcastAggregationRepository` and `HazelcastIdempotentRepository`
+when no `hazelcastInstance` is supplied
+* `HazelcastUtil#newInstance()` (no-arg)
+
+A user-supplied `JavaSerializationFilterConfig` (set on the
+`SerializationConfig` of a `Config` provided via `hazelcastConfigUri`, a
+referenced `Config` bean, or already wired into a pre-built
+`HazelcastInstance`) is respected and is not overwritten.
+
+Applications that store classes outside the default whitelist on a
+Hazelcast topic, queue, map, list, set, or in one of the repositories
+above must provide their own `Config` with a
+`JavaSerializationFilterConfig` configured for their class names.
+
== Upgrading from 4.18.0 to 4.18.1
=== camel-bom
