Thanks Claus, here’s some more docs for it http://activemq.apache.org/objectmessage.html#ObjectMessage-Clients
I’ll create a proper PR once we have 5.13.1 Regards -- Dejan Bosanac about.me/dejanb On Wed, Dec 16, 2015 at 4:24 PM, Claus Ibsen <[email protected]> wrote: > Thanks Dejan > > I logged a ticket at Camel with your instructions > https://issues.apache.org/jira/browse/CAMEL-9429 > > On Mon, Dec 14, 2015 at 2:15 PM, Dejan Bosanac <[email protected]> > wrote: > > Hi Claus, > > > > I implemented a fix for this in > > https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a > look > > and see if anything else is missing, it would greatly appreciated. > > > > Here are the proposed changes to the Camel once we have 5.13.1 release > > > https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4 > > > > BTW. We should change version of the current master to 5.14-SNAPSHOT now > > that 5.13.0 is out. > > > > Regards > > -- > > Dejan Bosanac > > about.me/dejanb > > > > On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <[email protected]> wrote: > > > >> > >> > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <[email protected]> > wrote: > >> > > >> > Also if the java class name is in a JMS header ( I think there is a > >> > standard for that, JMSType is it not?) maybe the client/server can use > >> > that out of the box to know at least packages from that class is okay > >> > to use. > >> > >> > >> Doesn’t that defeat the purpose though? I could craft a message that > >> contains “MyBadClass” and add that JMS header to say MyBadClass should > be > >> allowed. MyBadClass is loaded and security problem. It really needs > to be > >> something configured, not something part of the message. > >> > >> Dan > >> > >> > >> > > >> > > >> > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> > >> wrote: > >> >> Hi > >> >> > >> >> Thanks. > >> >> > >> >> Yeah this must be easier from client pov. Having to set a JVM system > >> >> property is sometimes hard for people, eg they deploy to an existing > >> >> running app server which they cannot restart. > >> >> > >> >> And then they need to add some code hack to set the system property > >> >> from their java app before AMQ bootstrap. > >> >> > >> >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy > >> >> way for clients, and a speedy release so users can upgrade more > >> >> easily. > >> >> > >> >> > >> >> > >> >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> > >> wrote: > >> >>> Hi Claus, > >> >>> > >> >>> here’s the test fix for the current implementation > >> >>> > >> > https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc > >> >>> > >> >>> The thing is that the same security issues can occur in the client > >> >>> applications, when folks call getObject() method, so I think it’s > the > >> right > >> >>> approach for people to while-list only the packages they trust. > >> >>> > >> >>> I agree that we can improve user experience by making it easier to > >> >>> configure all this in the client apps. I think it might be good > allow > >> easy > >> >>> configuration on the connection factory and using connection urls. > I’ll > >> >>> raise a new Jira for that and we can deliver this in 5.13.1. If you > >> have > >> >>> any more concerns and ideas on how to improve this, please let me > know. > >> >>> > >> >>> I’ll go ahead next and create more docs around this. > >> >>> > >> >>> > >> >>> Regards > >> >>> -- > >> >>> Dejan Bosanac > >> >>> about.me/dejanb > >> >>> > >> >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected] > > > >> wrote: > >> >>> > >> >>>> I’ll give it a try now. Thanks! > >> >>>> > >> >>>> Regards > >> >>>> -- > >> >>>> Dejan Bosanac > >> >>>> about.me/dejanb > >> >>>> > >> >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen < > [email protected]> > >> >>>> wrote: > >> >>>> > >> >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. > You > >> >>>>> can try yourself by changing the activemq-version in the > >> >>>>> parent/pom.xml. > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac < > [email protected]> > >> >>>>> wrote: > >> >>>>>> Hi Claus, > >> >>>>>> > >> >>>>>> restrictions were necessary for the CVE that was reported. We’re > >> about > >> >>>>> to > >> >>>>>> disclose it fully now after the release. > >> >>>>>> > >> >>>>>> AFAIK the change should not affect ObjectMessages in general, > just > >> the > >> >>>>>> cases where those objects are serialized/unserialized inside of > the > >> >>>>> broker, > >> >>>>>> like web console or stomp transformations. I’ll create a proper > >> docs for > >> >>>>>> the change now and the security aspect of it and we can see later > >> whet > >> >>>>> else > >> >>>>>> we can do to improve the user experience. > >> >>>>>> > >> >>>>>> Are there any Camel related tests that fails due to this change? > I > >> can > >> >>>>> take > >> >>>>>> a look at that as well. > >> >>>>>> > >> >>>>>> > >> >>>>>> Regards > >> >>>>>> -- > >> >>>>>> Dejan Bosanac > >> >>>>>> about.me/dejanb > >> >>>>>> > >> >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen < > [email protected] > >> > > >> >>>>> wrote: > >> >>>>>> > >> >>>>>>> I really think you guys should add something about those object > >> >>>>>>> serialization resitrcitions. Any end users that uses java > objects > >> over > >> >>>>>>> JMS is affected. Nothing works anymore. > >> >>>>>>> > >> >>>>>>> Its because of > >> >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 > >> >>>>>>> > >> >>>>>>> So there should be some text in the release notes, and ideally > AMQ > >> >>>>>>> broker / client should have some kind of INFO logging that > openwire > >> >>>>>>> with objects is restricted or not. Otherwise its even harder for > >> end > >> >>>>>>> users to spot what is going on. > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish < > [email protected]> > >> >>>>> wrote: > >> >>>>>>>> It's probably a good idea to add a new page in the "New > Features" > >> >>>>> section > >> >>>>>>>> on the site to cover the additions in 5.13.0. I know you added > >> the > >> >>>>>>> 'auto' > >> >>>>>>>> transport along with some other work for some additional > metrics > >> >>>>> etc, all > >> >>>>>>>> good things that would be nice to advertise a bit. > >> >>>>>>>> > >> >>>>>>>> See: http://activemq.apache.org/new-features.html > >> >>>>>>>> > >> >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < > >> >>>>>>>> [email protected]> wrote: > >> >>>>>>>> > >> >>>>>>>>> Hi everyone, > >> >>>>>>>>> > >> >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. > >> >>>>>>>>> > >> >>>>>>>>> This release contains a number of resolved issues and new > >> features > >> >>>>> since > >> >>>>>>>>> the 5.12.1 release. > >> >>>>>>>>> > >> >>>>>>>>> A list of issues resolved in this release is available here: > >> >>>>>>>>> > >> >>>>>>>>> > >> >>>>>>> > >> >>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 > >> >>>>>>>>> > >> >>>>>>>>> The Wiki page for the release is here: > >> >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html > >> >>>>>>>>> > >> >>>>>>>>> API documentation for 5.12.1 is located here: > >> >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html > >> >>>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> -- > >> >>>>>>>> -- > >> >>>>>>>> Tim Bish > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> -- > >> >>>>>>> Claus Ibsen > >> >>>>>>> ----------------- > >> >>>>>>> http://davsclaus.com @davsclaus > >> >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 > >> >>>>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> -- > >> >>>>> Claus Ibsen > >> >>>>> ----------------- > >> >>>>> http://davsclaus.com @davsclaus > >> >>>>> Camel in Action 2: https://www.manning.com/ibsen2 > >> >>>>> > >> >>>> > >> >>>> > >> >> > >> >> > >> >> > >> >> -- > >> >> Claus Ibsen > >> >> ----------------- > >> >> http://davsclaus.com @davsclaus > >> >> Camel in Action 2: https://www.manning.com/ibsen2 > >> > > >> > > >> > > >> > -- > >> > Claus Ibsen > >> > ----------------- > >> > http://davsclaus.com @davsclaus > >> > Camel in Action 2: https://www.manning.com/ibsen2 > >> > >> -- > >> Daniel Kulp > >> [email protected] - http://dankulp.com/blog > >> Talend Community Coder - http://coders.talend.com > >> > >> > > > > -- > Claus Ibsen > ----------------- > http://davsclaus.com @davsclaus > Camel in Action 2: https://www.manning.com/ibsen2 >
