From 7eb9b218b2705cf9273e30ee2da026e43b6dd4e0 Mon Sep 17 00:00:00 2001 From: Dejan Bosanac Date: Tue, 20 Oct 2015 12:30:46 +0200 Subject: [PATCH] https://issues.apache.org/jira/browse/AMQ-6013 - init serializable packages statically --- .../ClassLoadingAwareObjectInputStream.java | 20 ++++++++----------- .../transport/xstream/XStreamWireFormat.java | 6 ++---- .../transport/stomp/XStreamSupport.java | 2 +- .../transport/stomp/StompTestSupport.java | 3 +-- 4 files changed, 12 insertions(+), 19 deletions(-) diff --git a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java index f8a7d0c2f7..645a47dd0c 100644 --- a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java +++ b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java @@ -34,10 +34,15 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); - private static String[] serializablePackages; + public static final String[] serializablePackages; private final ClassLoader inLoader; + static { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { super(in); inLoader = in.getClass().getClassLoader(); @@ -83,24 +88,15 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { } } - public static String[] getSerialziablePackages() { - if (serializablePackages == null) { - serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", - "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); - } - - return serializablePackages; - }; - public static boolean isAllAllowed() { - return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + return serializablePackages.length == 1 && serializablePackages[0].equals("*"); } private void checkSecurity(Class clazz) throws ClassNotFoundException { if (!clazz.isPrimitive()) { if (clazz.getPackage() != null && !isAllAllowed()) { boolean found = false; - for (String packageName : getSerialziablePackages()) { + for (String packageName : serializablePackages) { if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { found = true; break; diff --git a/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java b/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java index 76a58737d1..a8df44661a 100755 --- a/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java +++ b/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java @@ -19,14 +19,11 @@ package org.apache.activemq.transport.xstream; import java.io.IOException; import java.io.Reader; -<<<<<<< HEAD -======= import com.thoughtworks.xstream.converters.Converter; import com.thoughtworks.xstream.converters.MarshallingContext; import com.thoughtworks.xstream.converters.UnmarshallingContext; import com.thoughtworks.xstream.io.HierarchicalStreamReader; import com.thoughtworks.xstream.io.HierarchicalStreamWriter; ->>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; import org.apache.activemq.transport.stomp.XStreamSupport; @@ -102,7 +99,8 @@ public class XStreamWireFormat extends TextWireFormat { } // Properties - // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java + // ------------------------------------------------- + public XStream getXStream() { if (xStream == null) { xStream = createXStream(); // make it work in OSGi env diff --git a/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java index 94ae7b71d8..abcca72a75 100644 --- a/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java +++ b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java @@ -37,7 +37,7 @@ public class XStreamSupport { if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { - for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } } diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java index b48ddb7517..a8d4884cbe 100644 --- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java +++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java @@ -111,8 +111,7 @@ public class StompTestSupport { } public void startBroker() throws Exception { - System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); - createBroker(true); + createBroker(); XStreamBrokerContext context = new XStreamBrokerContext(); brokerService.setBrokerContext(context);