From f3e0ab4c5a26bc73fbad4a4eabc79cec4bb03106 Mon Sep 17 00:00:00 2001
From: Andrew Levandoski <andrew.levandoski@sensus.com>
Date: Tue, 20 Oct 2020 17:21:31 -0400
Subject: [PATCH] AMQ-8011 - Performance Related issue in
 ClassLoadingAwareObjectInputStream.checkSecurity()

---
 .../ClassLoadingAwareObjectInputStream.java   | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
index d6a50a1cb3..0a717f452b 100644
--- a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
+++ b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
@@ -98,18 +98,21 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
     }
 
     private void checkSecurity(Class clazz) throws ClassNotFoundException {
-        if (!clazz.isPrimitive()) {
-            if (clazz.getPackage() != null && !trustAllPackages()) {
-               boolean found = false;
-               for (String packageName : getTrustedPackages()) {
-                   if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {
-                       found = true;
-                       break;
-                   }
-               }
-               if (!found) {
-                   throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not trusted to be serialized as ObjectMessage payload. Please take a look at http://activemq.apache.org/objectmessage.html for more information on how to configure trusted classes.");
-               }
+        if (trustAllPackages() || clazz.isPrimitive()) {
+            return;
+        }
+
+        boolean found = false;
+        Package thePackage = clazz.getPackage();
+        if (thePackage != null) {
+            for (String trustedPackage : getTrustedPackages()) {
+                if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not trusted to be serialized as ObjectMessage payload. Please take a look at http://activemq.apache.org/objectmessage.html for more information on how to configure trusted classes.");
             }
         }
     }