Skip to content

Use JDK ObjectInputFilter instead of calling AllowedListDeserializingMessageConverter::checkAllowedList in ConfigurableObjectInputStream::resolveClass #2687

New issue
New issue
Open
Open
Use JDK ObjectInputFilter instead of calling AllowedListDeserializingMessageConverter::checkAllowedList in ConfigurableObjectInputStream::resolveClass#2687
Labels
in: rabbitmqtype: enhancement
Milestone
Backlog
@quaff

Description

@quaff
quaff
opened on Apr 18, 2024

I think it's better to use standard API.
see Java Serialization Filters

spring-amqp/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SimpleMessageConverter.java

Lines 158 to 162 in 603e6c8

protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
Class<?> clazz = super.resolveClass(classDesc);
checkAllowedList(clazz);
return clazz;
}

spring-amqp/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SerializerMessageConverter.java

Lines 167 to 172 in 603e6c8

protected Class<?> resolveClass(ObjectStreamClass classDesc)
throws IOException, ClassNotFoundException {
Class<?> clazz = super.resolveClass(classDesc);
checkAllowedList(clazz);
return clazz;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: rabbitmqtype: enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions