ARTEMIS-4167 Enhanced deserialization filter

[swerner0]

Now that Artemis is Java 11+ compatible, there is now the ability to set an ObjectInputFilter on an ObjectInputStream. This allows us to write more advanced filter patterns or plug-in our own object filter implementation.

[jbertram]

The links here should likely refer to the Java 11 documentation (e.g. https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html).

[jbertram]

A simple example and a blurb to compare & contrast this approach against the existing approach would help users choose what's best for their use-case.

[swerner0]

Sorry, running 17 locally so is the one I'm always referencing. Will update the link.

[swerner0]

I can add a compare and contrast

[gemmellr]

Including any details around the impact (e.g precedence) if more than one of the now-several options is specified would also be good. Or else saying, and enforcing, that you cant specify the different approaches at the same time.

[swerner0]

Do you want to continue to support the allow/denyList and custom inputstream? We can say they are deprecated in favor of the new at some point, and list an order of execution if both are specified, although that would be frowned upon

[gemmellr]

Regardless how quickly we were to remove the old one, both will be there until then and so what it does or allows / not should be clear and documented. Its not even clear currently what would happen between the 2 new options, or their system properties, let alone once you consider any mix with the older existing stuff.

Even if we deprecate the old, I dont see us removing the old bits particularly quickly (or ever for 2.x) given it is all anyone has ever used, and in many cases will likely continue to use right up until it goes away. We also just deprecated the original names to replace with allow/deny, so would seems especially unfair to then quickly require another update for the same functionality for anyone that did already adapt to that.

[jbertram]

Neither of these system properties are documented as far as I can tell.

[swerner0]

I wasn't sure the best way of relaying the information as the URL, system properties and resource adapter had separate sections. I stated Configure the same way via url, system properties, resource adapter, or set directly on ActiveMQConnectionFactory in hopes they would know what to do by looking above and substituting denyList or allowList with the one of the two new variable names

[gemmellr]

I dont really see a need to include 'Now that Apache ActiveMQ Artemis requires a minimum JVM version of 11'. It conveys nothing particularly useful or necessary about the functionality. Its also just going to go stale.

Simply stating that you can pass a filter string / class name to leverage the built in ObjectInputFilter support is all thats needed.

[gemmellr]

Just as Justin didnt really like "serialFilter" originally on the earlier PR (#4368), I still cant say I am a fan of it.

The more fully elaborated deserializationFilter name would seem more obvious to me.

[swerner0]

I agree, but I was trying to stay consistent with the Oracle system wide property of jdk.serialFilter

[gemmellr]

First time that has been mentioned in >18 months, even when you agreed with Justin and said you were renaming it hehe.

I'm not sure that should be a goal personally. Switching to deserializationFilter from deserializationAllowList and deserializationDenyList seems more obvious, and would be more consistent between themselves whilst both are around.

Thoughts @jbertram ?

[gemmellr]

Including any details around the impact (e.g precedence) if more than one of the now-several options is specified would also be good. Or else saying, and enforcing, that you cant specify the different approaches at the same time.