[jira] [Commented] (AMQ-6077) Better configuration of restricted classes for clients

Mon, 14 Dec 2015 14:22:25 -0800 

    [ 
https://issues.apache.org/jira/browse/AMQ-6077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15056826#comment-15056826
 ] 

Timothy Bish commented on AMQ-6077:
-----------------------------------

The problem appears to be in the ActiveMQObjectMessage when used inside the 
broker for the STOMP transformations.  the getObject method overrides the 
trusted packages in the ClassLoadingAwareObjectInputStream with it's own value, 
which by default is empty and negates the defaults in the 
ClassLoadingAwareObjectInputStream.  

{code}
    @Override
    public Serializable getObject() throws JMSException {
        if (object == null && getContent() != null) {
            try {
                ByteSequence content = getContent();
                InputStream is = new ByteArrayInputStream(content);
                if (isCompressed()) {
                    is = new InflaterInputStream(is);
                }
                DataInputStream dataIn = new DataInputStream(is);
                ClassLoadingAwareObjectInputStream objIn = new 
ClassLoadingAwareObjectInputStream(dataIn);
                objIn.setTrustedPackages(trustedPackages);  // FIXME - Inside 
the Broker, this ArrayList is empty.
                objIn.setTrustAllPackages(trustAllPackages);
                try {
                    object = (Serializable)objIn.readObject();
                } catch (ClassNotFoundException ce) {
                    throw JMSExceptionSupport.create("Failed to build body from 
content. Serializable class not available to broker. Reason: " + ce, ce);
                } finally {
                    dataIn.close();
                }
            } catch (IOException e) {
                throw JMSExceptionSupport.create("Failed to build body from 
bytes. Reason: " + e, e);
            }
        }
        return this.object;
    }
{code}


> Better configuration of restricted classes for clients
> ------------------------------------------------------
>
>                 Key: AMQ-6077
>                 URL: https://issues.apache.org/jira/browse/AMQ-6077
>             Project: ActiveMQ
>          Issue Type: Improvement
>    Affects Versions: 5.13.0
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.12.2, 5.13.1, 5.14.0
>
>
> [AMQ-6013] introduces the checks on the classes that are allowed to be 
> serialized through ObjectMessages. The original implementation was designed 
> to protect the broker, so system property configuration was the easiest 
> solution.
> This change affect the clients that uses ObjectMessages.getObject() method. 
> We need to provide a better way of configuring this for clients. My initial 
> idea is that we should provide a configuration on ActiveMQConnectionFactory 
> and ActiveMQComponent classes.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to