[
https://issues.apache.org/jira/browse/AMQ-7149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruno Baptista updated AMQ-7149:
--------------------------------
Description:
Both the Stomp and HTTP connectors use the XStream library for serializing and
deserializing objects on the wire (to/from XML). The XStreamSupport class sets
up XStream with some configuration on what classes can/can't be deserialized to
prevent deserialization vulnerabilities.
In order to avoid duplicating that code, it was placed in the stomp module, and
then referenced in the http module. This was introduced around 5.13. This can
cause a client side class not found exception when using simple http
communication:
{code:java}
"Exception in thread "ActiveMQ Transport: HTTP Reader http://localhost:9090/";
java.lang.NoClassDefFoundError:
org/apache/activemq/transport/stomp/XStreamSupport
at
org.apache.activemq.transport.xstream.XStreamWireFormat.createXStream(XStreamWireFormat.java:127)
at
org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream(XStreamWireFormat.java:113)
at
org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:66)
at
org.apache.activemq.transport.util.TextWireFormat.unmarshal(TextWireFormat.java:56)
at
org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:199)
..."
{code}
The proposed patch places the XStreamSupport class in activemq-client, thus
correcting this issue without requiring the inclusion of the optional
activemq-stomp library in the client.
was:
Both the Stomp and HTTP connectors use the XStream library for serializing and
deserializing objects on the wire (to/from XML). The XStreamSupport class sets
up XStream with some configuration on what classes can/can't be deserialized to
prevent deserialization vulnerabilities.
In order to avoid duplicating that code, it was placed in the stomp module, and
then referenced in the http module. This was introduced around 5.13. This can
cause a client side class not found exception when using simple http
communication:
{code:java}
"Exception in thread "ActiveMQ Transport: HTTP Reader http://localhost:9090/";
java.lang.NoClassDefFoundError:
org/apache/activemq/transport/stomp/XStreamSupport
at
org.apache.activemq.transport.xstream.XStreamWireFormat.createXStream(XStreamWireFormat.java:127)
at
org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream(XStreamWireFormat.java:113)
at
org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:66)
at
org.apache.activemq.transport.util.TextWireFormat.unmarshal(TextWireFormat.java:56)
at
org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:199)
..."
{code}
The proposed patch places the XStreamSupport class in activemq-client, thus
correcting this issue without requiring the inclusion of the optional
activemq-stomp library in the client.
> activemq-client using HTTP transport requires Stomp
> ---------------------------------------------------
>
> Key: AMQ-7149
> URL: https://issues.apache.org/jira/browse/AMQ-7149
> Project: ActiveMQ
> Issue Type: Bug
> Components: JMS client, stomp, Transport
> Affects Versions: 5.14.6, 5.16.0, 5.15.8, 5.15.9
> Reporter: Bruno Baptista
> Priority: Major
> Labels: httpclient, stomp
> Attachments: activemq.diff
>
>
> Both the Stomp and HTTP connectors use the XStream library for serializing
> and deserializing objects on the wire (to/from XML). The XStreamSupport class
> sets up XStream with some configuration on what classes can/can't be
> deserialized to prevent deserialization vulnerabilities.
>
> In order to avoid duplicating that code, it was placed in the stomp module,
> and then referenced in the http module. This was introduced around 5.13. This
> can cause a client side class not found exception when using simple http
> communication:
>
> {code:java}
> "Exception in thread "ActiveMQ Transport: HTTP Reader http://localhost:9090/";
> java.lang.NoClassDefFoundError:
> org/apache/activemq/transport/stomp/XStreamSupport
> at
> org.apache.activemq.transport.xstream.XStreamWireFormat.createXStream(XStreamWireFormat.java:127)
> at
> org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream(XStreamWireFormat.java:113)
> at
> org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:66)
> at
> org.apache.activemq.transport.util.TextWireFormat.unmarshal(TextWireFormat.java:56)
> at
> org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:199)
> ..."
> {code}
>
> The proposed patch places the XStreamSupport class in activemq-client, thus
> correcting this issue without requiring the inclusion of the optional
> activemq-stomp library in the client.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
