[
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15004318#comment-15004318
]
Dejan Bosanac commented on AMQ-6013:
------------------------------------
Hi David,
yes, it makes sense to check security only on the class name without loading
it. Thanks for that, I'll fix it on Monday. I'll need to check how XStream is
doing it and if this problem exists there as well.
As for loading the list only once, it's done by the second commit so that
should be in there already. Let me know if you thought of something else, or I
missed something.
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can
> be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
