[jira] [Commented] (AMQ-6312) ObjectMessage's setTrustedPackages can only be applied via system property in resource adappter setting

Mon, 06 Jun 2016 07:03:36 -0700 

    [ 
https://issues.apache.org/jira/browse/AMQ-6312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15316524#comment-15316524
 ] 

Patrik Dudits commented on AMQ-6312:
------------------------------------

Stack trace for receiving MDBs for reference:

I've overriden RA's {{createConnectionFactory}} to set trusted packages.

{code}
javax.jms.JMSException: Failed to build body from content. Serializable class 
not available to broker. Reason: java.lang.ClassNotFoundException: Forbidden 
class <applicationClass>! This class is not trusted to be serialized as 
ObjectMessage payload. Please take a look at 
http://activemq.apache.org/objectmessage.html for more information on how to 
configure trusted classes.
        at 
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:36)
        at 
org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:208)
  // ActiveMQObjectMessage has default trusted packages
        at <applicationMDB>.onMessage(<applicationMDB>)

        at .... Payara EJB container, RAR adapter ....

        at 
org.apache.activemq.ra.MessageEndpointProxy$MessageEndpointAlive.onMessage(MessageEndpointProxy.java:123)
        at 
org.apache.activemq.ra.MessageEndpointProxy.onMessage(MessageEndpointProxy.java:64)
        at org.apache.activemq.ActiveMQSession.run(ActiveMQSession.java:1041) 
// session.connection has configured trusted packages
        at 
org.apache.activemq.ra.ServerSessionImpl.run(ServerSessionImpl.java:169)
        at com.sun.enterprise.connectors.work.OneWork.doWork(OneWork.java:107)
        at 
com.sun.corba.ee.impl.threadpool.ThreadPoolImpl$WorkerThread.performWork(ThreadPoolImpl.java:497)
        at 
com.sun.corba.ee.impl.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:540)
Caused by: java.lang.ClassNotFoundException: Forbidden class <application 
class>! This class is not trusted to be serialized as ObjectMessage payload. 
Please take a look at http://activemq.apache.org/objectmessage.html for more 
information on how to configure trusted classes.
        at 
org.apache.activemq.util.ClassLoadingAwareObjectInputStream.checkSecurity(ClassLoadingAwareObjectInputStream.java:112)
        at 
org.apache.activemq.util.ClassLoadingAwareObjectInputStream.resolveClass(ClassLoadingAwareObjectInputStream.java:57)
        at 
java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
        at 
java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
        at 
org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:206)
        ... 40 common frames omitted

> ObjectMessage's setTrustedPackages can only be applied via system property in 
> resource adappter setting
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6312
>                 URL: https://issues.apache.org/jira/browse/AMQ-6312
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.13.3
>            Reporter: Patrik Dudits
>
> We're using ActiveMQ via resource adapter, and with upgrading post 5.12.0 we 
> want to handle the trusted packages configuration via resource adapter rather 
> than via system properties.
> This approach is not supported at all, because:
> # {{ActiveMQResourceAdapter}} does not expose {{setTrustedPackages}}
> # {{ActiveMQManagedConnectionFactory}} does not expose {{setTrustedPackages}}
> # Neither {{ServerSessionImpl}}, {{ActiveMQSession}} or 
> {{MessageEndpointProxy}} set trusted packages on received 
> {{ActiveMQObjectMessage}}
> The first two could be solved by adding the support into 
> {{ActiveMQConnectionSupport}} by adding a property and applying 
> trustedPackages in {{createConnectionFactory(ActiveMQConnectionRequestInfo, 
> MessageActiveationSpec}}.
> However, for the third one I'm not sure on which level the change should be 
> applied - either session should be enforcing connection's trusted packages, 
> or {{ServerSessionImpl}} could do it in its {{beforeDelivery}} method. But I 
> cannot think of use case where session should not be handling this in first 
> place. 
> Alternatively, {{ActiveMQObjectMessage}} could get the trusted packages list 
> from its connection, which guarantees that deserialization rules of the 
> connection are always applied, not only when {{ActiveMQConnectionConsumer}} 
> is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to