This is an automated email from the ASF dual-hosted git repository. reta pushed a commit to branch 4.0.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 5a7a78aaa7bd6118be995aba27fa1bbf37d4e520 Author: Richard Opálka <[email protected]> AuthorDate: Fri Aug 22 15:22:09 2025 +0200 [CXF-9160] Make JMS allowed JNDI protocols whitelist configurable (cherry picked from commit 7393edb431b1368f2060d287dfbf0d6d05f47b6a) --- .../apache/cxf/transport/jms/util/JndiHelper.java | 36 ++++++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java index 81ff0f6a57..ef98b6b3e5 100644 --- a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java +++ b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java @@ -18,21 +18,50 @@ */ package org.apache.cxf.transport.jms.util; +import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.Properties; +import java.util.function.Predicate; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NameNotFoundException; import javax.naming.NamingException; +import org.apache.cxf.common.util.StringUtils; +import org.apache.cxf.common.util.SystemPropertyAction; + public class JndiHelper { - private static final List<String> ALLOWED_PROTOCOLS = Arrays.asList( - "vm://", "tcp://", "nio://", "ssl://", "http://";, "https://";, "ws://", "wss://"); + /** + * JVM/System property name holding allowed jms protocols. + */ + private static final String CONFIGURED_JMS_PROTOCOLS = "jms.protocols"; + /** + * Constant holding default allowed jms protocols. + */ + private static final String DEFAULT_JMS_PROTOCOLS = "vm,tcp,nio,ssl,http,https,ws,wss"; + private static final List<String> ALLOWED_PROTOCOLS; private Properties environment; + static { + final String jmsProtocols = SystemPropertyAction.getProperty(CONFIGURED_JMS_PROTOCOLS, DEFAULT_JMS_PROTOCOLS); + if (StringUtils.isEmpty(jmsProtocols)) { + ALLOWED_PROTOCOLS = Collections.emptyList(); + } else { + final List<String> allowedProtocols = new ArrayList<>(); + Arrays + .stream(jmsProtocols.split(",")) + .map(String::trim) + .filter(Predicate.not(String::isEmpty)) + .map(s -> s + "://") + .forEach(allowedProtocols::add); + ALLOWED_PROTOCOLS = Collections.unmodifiableList(allowedProtocols); + } + } + /** * Create a new JndiTemplate instance, using the given environment. */ @@ -41,7 +70,8 @@ public class JndiHelper { // Avoid unsafe protocols if they are somehow misconfigured String providerUrl = environment.getProperty(Context.PROVIDER_URL); - if (providerUrl != null && !ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) { + if (providerUrl != null && !providerUrl.isEmpty() + && !ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) { throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl); } }
