[
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15004213#comment-15004213
]
David Jencks commented on AMQ-6013:
-----------------------------------
I'd expect you'd want to check if the class is allowed based on its name before
loading it in case it has static initialization code that does something
unwanted.
Loading the allowed packages list only once might be considerably more
efficient.
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can
> be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
