gemmellr commented on code in PR #5307: URL: https://github.com/apache/activemq-artemis/pull/5307#discussion_r1812237786
########## docs/user-manual/security.adoc: ########## @@ -1431,6 +1431,16 @@ comma separated values for allow list These properties, once specified, are eventually set on the corresponding internal factories. +=== Filtering using built-in JVM support + +Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11, built-in Java serialization filtering mechanisms can be utilized. +Instead of providing an `allow list` or `deny list`, you can specify either a `serialFilter` or `serialFilterClassName`. + +* `serialFilter` - A pattern based filter that allows you to define allow/deny lists and constraints limiting graph complexity and size. https://docs.oracle.com/en/java/javase/17/core/serialization-filtering1.html#JSCOR-GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66[Filter Syntax] +* `serialFilterClassName` - For those who need a custom filtering solution, you can supply an implementation of https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/io/ObjectInputFilter.html[ObjectInputFilter] Review Comment: Regardless how quickly we were to remove the old one, both will be there until then and so what it does or allows / not should be clear and documented. Its not even clear currently what would happen between the 2 new options, or their system properties, let alone once you consider any mix with the older existing stuff. Even if we deprecate the old, I dont see us removing the old bits particularly quickly (or ever for 2.x) given it is all anyone has ever used, and in many cases will likely continue to use right up until it goes away. We also just deprecated the original names to replace with allow/deny, so would seems especially unfair to then quickly _require_ another update for the same functionality for anyone that did already adapt to that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For additional commands, e-mail: gitbox-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
