Skip to content

[backport camel-4.14.x] CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms#22604

Merged
oscerd merged 5 commits intoapache:camel-4.14.xfrom
oscerd:backport/22598-to-camel-4.14.x
Apr 14, 2026
Merged

[backport camel-4.14.x] CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms#22604
oscerd merged 5 commits intoapache:camel-4.14.xfrom
oscerd:backport/22598-to-camel-4.14.x

Conversation

@oscerd
Copy link
Copy Markdown
Contributor

@oscerd oscerd commented Apr 14, 2026

Backport of #22598

Cherry-pick of #22598 onto camel-4.14.x.

Original PR: #22598 - CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms
Original author: @oscerd
Target branch: camel-4.14.x
Jira: https://issues.apache.org/jira/browse/CAMEL-23321

Two commits on this branch:

  1. CAMEL-23321: Add deserialization filtering for JMS ObjectMessage handling in camel-jms and camel-sjms (cherry-picked from c5c8d4f668c, one conflict resolved — see below)
  2. Regen — regenerated camel-jms catalog on the camel-4.14.x baseline

Conflict resolution

Cherry-picking c5c8d4f668c produced three conflicts:

  1. components/camel-sjms/src/main/java/org/apache/camel/component/sjms/jms/JmsBinding.java — style-only: main uses pattern-matching instanceof, camel-4.14.x uses explicit cast. Resolved by keeping the 4.14.x style and adding only the security-relevant checkDeserializedClass(payload) call and // NOSONAR marker:

    Object payload = objectMessage.getObject();
checkDeserializedClass(payload);
if (payload instanceof DefaultExchangeHolder) {
    DefaultExchangeHolder holder = (DefaultExchangeHolder) payload;
    DefaultExchangeHolder.unmarshal(exchange, holder); // NOSONAR
    return exchange.getIn().getBody();
}

  2. components/camel-jms/src/generated/java/org/apache/camel/component/jms/JmsEndpointUriFactory.java

  3. components/camel-jms/src/generated/resources/META-INF/org/apache/camel/component/jms/jms.json

    Both are generated files whose baselines diverge between 4.14.x and main (different property counts / indices). Resolved by keeping the 4.14.x baseline (--ours) and regenerating them locally against the 4.14.x source — the Regen commit on this branch contains that regeneration.

Skipped

The original Regen commit e1d060f2147 from #22598 touched many downstream JMS-family catalog files (camel-activemq, camel-activemq6, camel-amqp, camel-sjms2, camel-catalog, DSL factories) whose 4.14.x content diverges from main. It was skipped in favor of the locally-regenerated camel-jms catalog in this PR. Other downstream catalogs on 4.14.x can be regenerated in a follow-up if/when CI flags a catalog mismatch.

Verification

  • Cherry-pick applied with one manual style resolution (documented above) and --ours on two generated files (regenerated in a separate commit)
  • camel-jms and camel-sjms compile cleanly on the camel-4.14.x baseline
  • Apache CI will run the authoritative test suite and catalog consistency checks

Claude Code on behalf of Andrea Cosentino

oscerd added 2 commits April 14, 2026 11:36
@oscerd
CAMEL-23321: Add deserialization filtering for JMS ObjectMessage hand…
cd0763c 
…ling in camel-jms and camel-sjms

Aligns the JMS component family with the defense-in-depth pattern applied in
camel-netty (CAMEL-23297) and camel-mina (CAMEL-23319).

JmsBinding (camel-jms and camel-sjms) now resolves a deserialization filter at
construction using the same priority as the other components:
  configured value -> JVM -Djdk.serialFilter -> default "java.**;javax.**;org.apache.camel.**;!*".
After ObjectMessage.getObject(), the class of the returned payload is checked
against the filter and a SecurityException is thrown on reject. The filter is
exposed as a new endpoint option 'deserializationFilter' on JmsConfiguration
(camel-jms) and SjmsEndpoint (camel-sjms).

Note: this check runs after the JMS provider has deserialized the payload, so
the option does not, on its own, stop gadget chains that execute inside the
provider's ObjectInputStream. The javadoc makes this explicit and points users
to JVM-wide -Djdk.serialFilter and provider-specific filters for complete
coverage. camel-amqp inherits the behaviour via AMQPJmsBinding.

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd
Regen
172c180 
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd requested a review from davsclaus April 14, 2026 09:40
oscerd added 3 commits April 14, 2026 13:12
@oscerd
Regen
3435e88 
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd
CAMEL-23321: Add deserialization filtering for JMS ObjectMessage hand…
16d114c 
…ling in camel-jms and camel-sjms

Configure deserializationFilter in CxfToJmsInOutTest and JmsToCxfInOutTest
Spring contexts to allow org.apache.cxf.** classes alongside the defaults,
so MessageContentsList payloads exchanged over JMS ObjectMessage pass the
filter introduced in CAMEL-23321.

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd
Regen
874317c 
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd merged commit 6a82709 into apache:camel-4.14.x Apr 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davsclaus davsclaus davsclaus approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oscerd @davsclaus