[
https://issues.apache.org/jira/browse/AMQ-9682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré resolved AMQ-9682.
---------------------------------------
Resolution: Fixed
> Unable to run HTTP broker with XA Factory without SERIALIZABLE_PACKAGES=*
> -------------------------------------------------------------------------
>
> Key: AMQ-9682
> URL: https://issues.apache.org/jira/browse/AMQ-9682
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: JMS client
> Affects Versions: 6.1.5
> Reporter: Colin Werner
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 6.2.0, 6.1.7
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When running a broker (6.1.5) with an http connector, and attempting to
> connect with:
>
> {code:java}
> val activeMQXAConnectionFactory = ActiveMQXAConnectionFactory()
> val brokerUrl =
> "failover:(http://localhost:61618)?timeout=2000&initialReconnectDelay=100&maxReconnectDelay=250&maxReconnectAttempts=40&useExponentialBackOff=false&jms.prefetchPolicy.all=10"
> activeMQXAConnectionFactory.brokerURL = brokerUrl
> activeMQXAConnectionFactory.userName = BrokerSupportRestController.SERVER_USER
> activeMQXAConnectionFactory.password = jmsPassword
> activeMQXAConnectionFactory.redeliveryPolicy.maximumRedeliveries = 1
> val atomikosConnectionFactoryBean = AtomikosConnectionFactoryBean()
> atomikosConnectionFactoryBean.uniqueResourceName = "xamq"
> atomikosConnectionFactoryBean.localTransactionMode = false
> atomikosConnectionFactoryBean.maxPoolSize = 20
> atomikosConnectionFactoryBean.xaConnectionFactory =
> activeMQXAConnectionFactory {code}
> We receive the following payload:
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <org.apache.activemq.command.DataArrayResponse>
> <commandId>0</commandId>
> <responseRequired>false</responseRequired>
> <correlationId>4</correlationId>
> <data class="org.apache.activemq.command.XATransactionId-array"/>
> </org.apache.activemq.command.DataArrayResponse> {code}
> Which fails to unmarshall:
> {code:java}
> 15:38:26,650 [ActiveMQ Task-2 ] INFO .a.t.f.FailoverTransport -
> Successfully reconnected to http://172.17.0.2:61618
> 15:38:26,650 [p://172.17.0.2:61618] WARN .a.t.f.FailoverTransport -
> Transport (http://172.17.0.2:61618) failed, attempting to automatically
> reconnect
> java.io.IOException: Failed to perform GET on: http://172.17.0.2:61618
> Reason: [Lorg.apache.activemq.command.XATransactionId;
> at
> org.apache.activemq.util.IOExceptionSupport.create(IOExceptionSupport.java:36)
> ~[activemq-client-6.1.3.jar:6.1.3]
> at
> org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:209)
> [activemq-http-6.1.3.jar:6.1.3]
> at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
> Caused by: com.thoughtworks.xstream.security.ForbiddenClassException:
> [Lorg.apache.activemq.command.XATransactionId;
> at
> com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:420)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:136)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
> ~[xstream-1.4.20.jar:1.4.20]
> at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1464)
> ~[xstream-1.4.20.jar:1.4.20]
> at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1441)
> ~[xstream-1.4.20.jar:1.4.20]
> at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1321)
> ~[xstream-1.4.20.jar:1.4.20]
> at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1312)
> ~[xstream-1.4.20.jar:1.4.20]
> at
> org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:65)
> ~[activemq-http-6.1.3.jar:6.1.3]
> at
> org.apache.activemq.transport.util.TextWireFormat.unmarshal(TextWireFormat.java:56)
> ~[activemq-http-6.1.3.jar:6.1.3]
> at
> org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:200)
> ~[activemq-http-6.1.3.jar:6.1.3]
> ... 1 more {code}
> Likely because
> [https://github.com/apache/activemq/blob/main/activemq-client/src/main/java/org/apache/activemq/util/XStreamSupport.java#L30]
> does not include
> [https://github.com/x-stream/xstream/blob/master/xstream/src/java/com/thoughtworks/xstream/security/ArrayTypePermission.java]
> ?
> The work around is to add -Dorg.apache.activemq.SERIALIZABLE_PACKAGES=*;
> however, this is not desirable due to a lack of security measures.
> Are we missing some other way to avoid this issue?
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
