[backport camel-4.18.x] CAMEL-23373: camel-jms - Disable ObjectMessage by default#22918
Merged
oscerd merged 3 commits intoapache:camel-4.18.xfrom May 4, 2026
Merged
Conversation
* CAMEL-23373: camel-jms - Disable ObjectMessage by default Java object serialization over JMS is rarely used in practice and is a recurring source of security advisories. Disable creation and reading of jakarta.jms.ObjectMessage by default and add a new objectMessageEnabled option (default false) on JmsConfiguration / JmsComponent / JmsEndpoint to opt back in. When disabled, JmsBinding now refuses to: - create an ObjectMessage from a Serializable body (auto-detected jmsMessageType=Object or explicitly set) - create an ObjectMessage for transferExchange or transferException - extract the body of a received ObjectMessage Existing tests that rely on ObjectMessage have been updated to opt in. A new JmsObjectMessageEnabledTest validates the default disabled behavior on producer and consumer side, and JmsBindingTest covers the unit-level checks. Documentation updated in the 4.21 upgrade guide. Signed-off-by: Andrea Cosentino <ancosen@gmail.com> * CAMEL-23373: Regenerate camel-jms / camel-activemq* / camel-amqp DSL builders The componentdsl and endpointdsl builder factories for camel-jms and the JMS-derived components (camel-activemq, camel-activemq6, camel-amqp) needed to be regenerated to expose the new objectMessageEnabled option in the fluent DSL. These are generated files only; no hand-written code changed. Signed-off-by: Andrea Cosentino <ancosen@gmail.com> --------- Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Re-run the catalog generator on the backport so the JSON descriptors match the 4.18.x source: bumps the version field from 4.21.0-SNAPSHOT to 4.18.3-SNAPSHOT and reverts a couple of option descriptions that were clarified separately on main but not part of this fix. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Contributor
|
btw there are (some) unit test fixes in itest that are related to this, that can be backported afterwards commit 98926bb |
davsclaus
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #22866
Cherry-pick of #22866 onto
camel-4.18.x.Original PR: #22866 - CAMEL-23373: camel-jms - Disable ObjectMessage by default
Original author: @oscerd
Target branch:
camel-4.18.xConflict resolution notes
The cherry-pick required a few manual resolutions because
camel-4.18.xdoes not yet carry the security-options infrastructure introduced onmain:security = "insecure:serialization"attribute from@UriParamannotations onobjectMessageEnabled,transferException, andtransferExchangeinJmsConfiguration— thesecurityattribute does not exist on@UriParam/@Metadatain 4.18.x.core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java— the SecurityUtils registry does not exist on 4.18.x."security": "insecure:serialization"JSON entries from the regenerated catalog and component descriptor JSON files for the same reason (they would otherwise carry a key the 4.18.x catalog format does not declare).camel-4x-upgrade-guide-4_21.adocinto a newUpgrading from 4.18.2 to 4.18.3section ofcamel-4x-upgrade-guide-4_18.adoc.The functional behavior matches the original PR:
objectMessageEnableddefaults tofalse,JmsBindingrefuses to create or readjakarta.jms.ObjectMessageinstances unless the option is enabled, all existing tests that rely onObjectMessageopt in viasetObjectMessageEnabled(true)(or?objectMessageEnabled=true), and the newJmsObjectMessageEnabledTestcovers default-disabled producer / consumer paths.Sanity build
mvn -pl :camel-jms -am -DskipTests=true install— greenmvn -pl :camel-activemq,:camel-activemq6,:camel-amqp,:camel-catalog -am -DskipTests=true install— greenOriginal description
Summary
Resolves CAMEL-23373. Disables creation and reading of
jakarta.jms.ObjectMessageby default incamel-jmsand adds a newobjectMessageEnabledoption (defaultfalse) to opt back in at the component or endpoint level.Java object serialization over JMS is rarely used in practice and is a recurring source of security advisories — the goal is to reduce the default attack surface and keep the feature available for users who explicitly need it.
Behavior
When
objectMessageEnabled=false(the new default),JmsBindingrefuses to:ObjectMessagefrom aSerializablebody (auto-detectedjmsMessageType=Objector explicitly set)ObjectMessagefortransferExchangeortransferExceptionrepliesObjectMessageIn each case,
IllegalStateExceptionis thrown with a message pointing the user at how to enable the option:To restore the previous behavior:
camel.component.jms.objectMessageEnabled=trueor per endpoint:
jms:queue:foo?objectMessageEnabled=true.🤖 Claude Code on behalf of Andrea Cosentino