ActiveMQConnectionFactory does not implement the new setTrustedPackages() API
Issue
Towards the end of 2015, a security weakness was discovered in the commons-collection library, which is used by JBoss Fuse and many other Java-based products. Red Hat released patches that fixed the security problem but, as an additional measure, new APIs were added to some software components to allow customers to mitigate the effect of bugs of this sort in future.
In ActiveMQ, a scheme was introduced by which developers could control which Java packages are suitable for deserialization. The new features, which are introduced in ActiveMQ 5.12.2, are described in the ObjectMessage documentation. In essence, there are new methods on ActiveMQConnectionFactory, and a new environment variable.
Although no Fuse version in current release (early 2016) contains ActiveMQ 5.12.2 or later, some (but not all) the relevant changes in 5.12.2 were backported. Unfortunately, the new setTrustedPackages() API was omitted.
Environment
- Red Hat JBoss Fuse
- 6.0
- 6.1
- 6.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
