gemmellr commented on code in PR #5307: URL: https://github.com/apache/activemq-artemis/pull/5307#discussion_r1811050911
########## docs/user-manual/security.adoc: ########## @@ -1431,6 +1431,16 @@ comma separated values for allow list These properties, once specified, are eventually set on the corresponding internal factories. +=== Filtering using built-in JVM support + +Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11, built-in Java serialization filtering mechanisms can be utilized. +Instead of providing an `allow list` or `deny list`, you can specify either a `serialFilter` or `serialFilterClassName`. Review Comment: I dont really see a need to include 'Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11'. It conveys nothing particularly useful or necessary about the functionality. Its also just going to go stale. Simply stating that you can pass a filter string / class name to leverage the built in ObjectInputFilter support is all thats needed. ########## docs/user-manual/security.adoc: ########## @@ -1431,6 +1431,16 @@ comma separated values for allow list These properties, once specified, are eventually set on the corresponding internal factories. +=== Filtering using built-in JVM support + +Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11, built-in Java serialization filtering mechanisms can be utilized. +Instead of providing an `allow list` or `deny list`, you can specify either a `serialFilter` or `serialFilterClassName`. + +* `serialFilter` - A pattern based filter that allows you to define allow/deny lists and constraints limiting graph complexity and size. https://docs.oracle.com/en/java/javase/17/core/serialization-filtering1.html#JSCOR-GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66[Filter Syntax] +* `serialFilterClassName` - For those who need a custom filtering solution, you can supply an implementation of https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/io/ObjectInputFilter.html[ObjectInputFilter] Review Comment: Including any details around the impact (e.g precedence) if more than one of the now-several options is specified would also be good. Or else saying, and enforcing, that you cant specify the different approaches at the same time. ########## docs/user-manual/security.adoc: ########## @@ -1431,6 +1431,16 @@ comma separated values for allow list These properties, once specified, are eventually set on the corresponding internal factories. +=== Filtering using built-in JVM support + +Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11, built-in Java serialization filtering mechanisms can be utilized. +Instead of providing an `allow list` or `deny list`, you can specify either a `serialFilter` or `serialFilterClassName`. + +* `serialFilter` - A pattern based filter that allows you to define allow/deny lists and constraints limiting graph complexity and size. https://docs.oracle.com/en/java/javase/17/core/serialization-filtering1.html#JSCOR-GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66[Filter Syntax] Review Comment: Just as Justin didnt really like "serialFilter" originally on the earlier PR (#4368), I still cant say I am a fan of it. The more fully elaborated deserializationFilter name would seem more obvious to me. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For additional commands, e-mail: gitbox-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
