[backport camel-4.18.x] CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms#22603
Merged
oscerd merged 4 commits intoapache:camel-4.18.xfrom Apr 14, 2026
Conversation
…ling in camel-jms and camel-sjms Aligns the JMS component family with the defense-in-depth pattern applied in camel-netty (CAMEL-23297) and camel-mina (CAMEL-23319). JmsBinding (camel-jms and camel-sjms) now resolves a deserialization filter at construction using the same priority as the other components: configured value -> JVM -Djdk.serialFilter -> default "java.**;javax.**;org.apache.camel.**;!*". After ObjectMessage.getObject(), the class of the returned payload is checked against the filter and a SecurityException is thrown on reject. The filter is exposed as a new endpoint option 'deserializationFilter' on JmsConfiguration (camel-jms) and SjmsEndpoint (camel-sjms). Note: this check runs after the JMS provider has deserialized the payload, so the option does not, on its own, stop gadget chains that execute inside the provider's ObjectInputStream. The javadoc makes this explicit and points users to JVM-wide -Djdk.serialFilter and provider-specific filters for complete coverage. camel-amqp inherits the behaviour via AMQPJmsBinding. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
oscerd
force-pushed
the
backport/22598-to-camel-4.18.x
branch
from
53ed738 to
c311624
Compare
davsclaus
approved these changes
Apr 14, 2026
…ling in camel-jms and camel-sjms Configure deserializationFilter in CxfToJmsInOutTest and JmsToCxfInOutTest Spring contexts to allow org.apache.cxf.** classes alongside the defaults, so MessageContentsList payloads exchanged over JMS ObjectMessage pass the filter introduced in CAMEL-23321. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #22598
Cherry-pick of #22598 onto
camel-4.18.x.Original PR: #22598 - CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms
Original author: @oscerd
Target branch:
camel-4.18.xJira: https://issues.apache.org/jira/browse/CAMEL-23321
Two commits cherry-picked in order:
CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjmsRegenConflict resolution
One minor, style-only conflict in
components/camel-sjms/src/main/java/org/apache/camel/component/sjms/jms/JmsBinding.java.mainhad been refactored to use pattern-matchinginstanceof(payload instanceof DefaultExchangeHolder holder);camel-4.18.xstill uses the explicit-cast style. Resolved by keeping the existing 4.18.x style and adding only the security-relevant change:All other code (the
checkDeserializedClassmethod itself, the newdeserializationFilteroption onJmsConfiguration/SjmsEndpoint, generated descriptors, DSL factories) was auto-merged cleanly.Verification
camel-jmsandcamel-sjmscompile cleanly on thecamel-4.18.xbaselineClaude Code on behalf of Andrea Cosentino