Switch to an allow list of protocols for JNDI (#2422)

(cherry picked from commit e60a4cd)

Author: coheigea

rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java

@@ -18,6 +18,8 @@
  */
 package org.apache.cxf.transport.jms.util;
 
+import java.util.Arrays;
+import java.util.List;
 import java.util.Properties;
 
 import javax.naming.Context;
@@ -27,6 +29,8 @@
 
 public class JndiHelper {
 
+    private static final List<String> ALLOWED_PROTOCOLS = Arrays.asList(
+        "vm://", "tcp://", "nio://", "ssl://", "http://", "https://", "ws://", "wss://");
     private Properties environment;
 
     /**
@@ -37,8 +41,7 @@ public JndiHelper(Properties environment) {
 
         // Avoid unsafe protocols if they are somehow misconfigured
         String providerUrl = environment.getProperty(Context.PROVIDER_URL);
-        if (providerUrl != null && (providerUrl.startsWith("ldap://")
-                || providerUrl.startsWith("rmi://"))) {
+        if (providerUrl != null && !ALLOWED_PROTOCOLS.stream().anyMatch(providerUrl::startsWith)) {
             throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl);
         }
     }