Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
5.14.6, 5.15.8, 5.15.9, 5.16.0
-
Patch Available
Description
Both the Stomp and HTTP connectors use the XStream library for serializing and deserializing objects on the wire (to/from XML). The XStreamSupport class sets up XStream with some configuration on what classes can/can't be deserialized to prevent deserialization vulnerabilities.
In order to avoid duplicating that code, it was placed in the stomp module, and then referenced in the http module. This was introduced around 5.13. This can cause a client side class not found exception when using simple http communication:
"Exception in thread "ActiveMQ Transport: HTTP Reader http://localhost:9090/" java.lang.NoClassDefFoundError: org/apache/activemq/transport/stomp/XStreamSupport at org.apache.activemq.transport.xstream.XStreamWireFormat.createXStream(XStreamWireFormat.java:127) at org.apache.activemq.transport.xstream.XStreamWireFormat.getXStream(XStreamWireFormat.java:113) at org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:66) at org.apache.activemq.transport.util.TextWireFormat.unmarshal(TextWireFormat.java:56) at org.apache.activemq.transport.http.HttpClientTransport.run(HttpClientTransport.java:199) ..."
The proposed patch places the XStreamSupport class in activemq-client, thus correcting this issue without requiring the inclusion of the optional activemq-stomp library in the client.
Attachments
Attachments
Issue Links
- links to
