ActiveMQ-JMS（五）：ObjectMessage的安全问题

安全问题

按照apache官网的说明，为了避免收到恶意代码，引入了安全机制，只允许指定的包里的对象能够被传输。原文如下：

ObjectMessage objects depend on Java serialization of marshal/unmarshal object payload. This process is generally considered unsafe as malicious payload can exploit the host system. That’s why starting with versions 5.12.2 and 5.13.0, ActiveMQ enforces users to explicitly whitelist packages that can be exchanged using ObjectMessages.

如果使用的类没有被添加到白名单中，会抛如下异常

javax.jms.JMSException: Failed to build body from content. Serializable class not available to broker. Reason: java.lang.ClassNotFoundException: Forbidden class rms.remotemanagement.ApartmentThread$Message! This class is not trusted to be serialized as ObjectMessage payload. Please take a look at http://activemq.apache.org/objectmessage.html for more information on how to configure trusted classes.    at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:36)    at org.apache.activemq.command.ActiveMQObjectMessage.getObject(ActiveMQObjectMessage.java:208)

解决办法

简单的解决办法

在消息队列的客户端（即应用代码里），添加如下代码即可：
1. 使所有的类都能够被传输

ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");factory.setTrustAllPackages(true);

2.使指定的包里的类能够被传输

ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");factory.setTrustedPackages(new ArrayList(Arrays.asList("org.apache.activemq.test,org.apache.camel.test".split(","))));

通过修改服务器配置解决

1.修改ActiveMQ配置文件 ${ACTIVEMQ_HOME}/bin/env script，增加org.apache.activemq.SERIALIZABLE_PACKAGES属性。

Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper,com.mycompany.myapp

2.修改Camel上下文

<bean id="connectionFactory" class="org.apache.activemq.spring.ActiveMQConnectionFactory">    <property name="brokerURL" value="tcp://localhost:61616"/>    <property name="trustedPackages">        <list>            <value>org.apache.activemq.test</value>            <value>org.apache.camel.test</value>        </list>    </property></bean><bean id="jmsConfig" class="org.apache.camel.component.jms.JmsConfiguration">    <property name="connectionFactory" ref="connectionFactory"/></bean><bean id="activemq" class="org.apache.activemq.camel.component.ActiveMQComponent">    <property name="configuration" ref="jmsConfig"/></bean>

或者

<bean id="connectionFactory" class="org.apache.activemq.spring.ActiveMQConnectionFactory">    <property name="brokerURL" value="tcp://localhost:61616"/>    <property name="trustAllPackages" value="true"/></bean><bean id="jmsConfig" class="org.apache.camel.component.jms.JmsConfiguration">    <property name="connectionFactory" ref="connectionFactory"/></bean><bean id="activemq" class="org.apache.activemq.camel.component.ActiveMQComponent">    <property name="configuration" ref="jmsConfig"/></bean>