Skip to content

[backport camel-4.14.x] CAMEL-23373: camel-jms - Disable ObjectMessage by default#22920

Merged
oscerd merged 2 commits intoapache:camel-4.14.xfrom
oscerd:backport/22866-to-camel-4.14.x
May 5, 2026
Merged

[backport camel-4.14.x] CAMEL-23373: camel-jms - Disable ObjectMessage by default#22920
oscerd merged 2 commits intoapache:camel-4.14.xfrom
oscerd:backport/22866-to-camel-4.14.x

Conversation

@oscerd
Copy link
Copy Markdown
Contributor

@oscerd oscerd commented May 4, 2026

Backport of #22866

Cherry-pick of #22866 onto camel-4.14.x.

Original PR: #22866 - CAMEL-23373: camel-jms - Disable ObjectMessage by default
Original author: @oscerd
Target branch: camel-4.14.x
Companion backport: #22918 (onto camel-4.18.x)

Conflict resolution notes

camel-4.14.x does not yet carry the security-options infrastructure introduced on main, and the EndpointUriFactory SPI has a different signature, so the cherry-pick required a few manual adjustments:

  • Dropped the security = "insecure:serialization" attribute from @UriParam annotations on objectMessageEnabled, transferException, and transferExchange in JmsConfiguration (the attribute does not exist on 4.14.x).
  • Dropped the regenerated core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java (registry not present on 4.14.x).
  • On 4.14.x EndpointUriFactory#multiValuePrefixes() returns Set<String> rather than Map<String, String>. The cherry-pick brought over the newer Map-based generated *EndpointUriFactory files; replaced them with the 4.14.x-style baseline plus a props.add("objectMessageEnabled") line and an updated HashSet capacity.
  • Re-ran the catalog generator on the backport so all component descriptors and DSL builders match the 4.14.8-SNAPSHOT source. This also strips the "security": "insecure:serialization" JSON keys (the 4.14.x catalog format does not declare them).
  • Moved the upgrade-guide content from the (non-existent on 4.14.x) camel-4x-upgrade-guide-4_21.adoc into a new Upgrading from 4.14.7 to 4.14.8 section of camel-4x-upgrade-guide-4_14.adoc.

The functional behavior matches the original PR: objectMessageEnabled defaults to false, JmsBinding refuses to create or read jakarta.jms.ObjectMessage instances unless the option is enabled, all existing tests that rely on ObjectMessage opt in via setObjectMessageEnabled(true) (or ?objectMessageEnabled=true), and the new JmsObjectMessageEnabledTest covers default-disabled producer / consumer paths.

Sanity build

  • mvn -pl :camel-jms -am -DskipTests=true install — green
  • mvn -pl :camel-activemq,:camel-activemq6,:camel-amqp,:camel-catalog -am -DskipTests=true install — green

Original description

Summary

Resolves CAMEL-23373. Disables creation and reading of jakarta.jms.ObjectMessage by default in camel-jms and adds a new objectMessageEnabled option (default false) to opt back in at the component or endpoint level.

Java object serialization over JMS is rarely used in practice and is a recurring source of security advisories — the goal is to reduce the default attack surface and keep the feature available for users who explicitly need it.

Behavior

When objectMessageEnabled=false (the new default), JmsBinding refuses to:

  • create an ObjectMessage from a Serializable body (auto-detected jmsMessageType=Object or explicitly set)
  • create an ObjectMessage for transferExchange or transferException replies
  • extract the body of a received ObjectMessage

In each case, IllegalStateException is thrown with a message pointing the user at how to enable the option:

JMS ObjectMessage is disabled by default for security reasons (...). Set objectMessageEnabled=true on the JMS endpoint or component to enable it.

To restore the previous behavior:

camel.component.jms.objectMessageEnabled=true

or per endpoint: jms:queue:foo?objectMessageEnabled=true.

🤖 Claude Code on behalf of Andrea Cosentino

@oscerd
CAMEL-23373: camel-jms - Disable ObjectMessage by default (apache#22866)
fa5e9fd 
* CAMEL-23373: camel-jms - Disable ObjectMessage by default

Java object serialization over JMS is rarely used in practice and is a
recurring source of security advisories. Disable creation and reading
of jakarta.jms.ObjectMessage by default and add a new objectMessageEnabled
option (default false) on JmsConfiguration / JmsComponent / JmsEndpoint
to opt back in.

When disabled, JmsBinding now refuses to:

- create an ObjectMessage from a Serializable body (auto-detected
  jmsMessageType=Object or explicitly set)
- create an ObjectMessage for transferExchange or transferException
- extract the body of a received ObjectMessage

Existing tests that rely on ObjectMessage have been updated to opt in.
A new JmsObjectMessageEnabledTest validates the default disabled
behavior on producer and consumer side, and JmsBindingTest covers the
unit-level checks. Documentation updated in the 4.21 upgrade guide.

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>

* CAMEL-23373: Regenerate camel-jms / camel-activemq* / camel-amqp DSL builders

The componentdsl and endpointdsl builder factories for camel-jms and the
JMS-derived components (camel-activemq, camel-activemq6, camel-amqp) needed
to be regenerated to expose the new objectMessageEnabled option in the
fluent DSL. These are generated files only; no hand-written code changed.

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>

---------

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd merged commit 75d7991 into apache:camel-4.14.x May 5, 2026
3 checks passed
This was referenced May 5, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davsclaus davsclaus davsclaus approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oscerd @davsclaus