[ANNOUNCE] Apache Flex BlazeDS 4.7.3

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANNOUNCE] Apache Flex BlazeDS 4.7.3

Christofer Dutz
Hi all,

I am pleased to announce the release of Apache Flex BlazeDS 4.7.3.

Apache Flex BlazeDS 4.7.3 is an update to 4.7.2 which adds a new
blazeds-spring-boot-starter module for easily setting up a BlazeDS server with
Spring Boot.

It also provides Maven archetypes for easily creating new spring-boot project that
make use of BlazeDS.

We also did quite a lot of fine-tuning of the security default settings to make BlazeDS
more secure.

Starting with 4.7.3 BlazeDS Deserialization of XML is disabled completely per default
but can easily be enabled in your services-config.xml:

    <channels>
        <channel-definition id="amf" class="mx.messaging.channels.AMFChannel">
            <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf "
                      class="flex.messaging.endpoints.AMFEndpoint"/>
            <properties>
                <serialization>
                    <allow-xml>true</allow-xml>
                </serialization>
            </properties>
        </channel-definition>
    </channels>

Also, we now enable the ClassDeserializationValidator per default to only allow
deserialization of whitelisted classes. BlazeDS internally comes with the following
whitelist:

    flex.messaging.io.amf.ASObject
    flex.messaging.io.amf.SerializedObject
    flex.messaging.io.ArrayCollection
    flex.messaging.io.ArrayList
    flex.messaging.messages.AcknowledgeMessage
    flex.messaging.messages.AcknowledgeMessageExt
    flex.messaging.messages.AsyncMessage
    flex.messaging.messages.AsyncMessageExt
    flex.messaging.messages.CommandMessage
    flex.messaging.messages.CommandMessageExt
    flex.messaging.messages.ErrorMessage
    flex.messaging.messages.HTTPMessage
    flex.messaging.messages.RemotingMessage
    flex.messaging.messages.SOAPMessage
    java.lang.Boolean
    java.lang.Byte
    java.lang.Character
    java.lang.Double
    java.lang.Float
    java.lang.Integer
    java.lang.Long
    java.lang.Object
    java.lang.Short
    java.lang.String
    java.util.ArrayList
    java.util.Date
    java.util.HashMap
    org.w3c.dom.Document

If you need to deserialize any other classes, be sure to register them in your
services-config.xml:

    <validators>
        <validator class="flex.messaging.validators.ClassDeserializationValidator">
            <properties>
                <allow-classes>
                    <class name="org.mycoolproject.*"/>
                    <class name="flex.messaging.messages.*"/>
                    <class name="flex.messaging.io.amf.ASObject"/>
                </allow-classes>
            </properties>
        </validator>
    </validators>

(Beware, by manually providing a whitelist the default whitelist is disabled)

Known Issues
_____________
FLEX-34648 Memory Leak occurred in AsyncMessage when sending a lot of messages

Chris
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] Apache Flex BlazeDS 4.7.3

sebb
What is the project about? Why should I be interested in it?
[rhetorical questions]

The Announce emails are sent to people not on the developer or user lists.
Most will have no idea what the project is about.

So the e-mails should contain at least brief details of what the
product does, and some info on why the new release might be of
interest to them.

Readers should not have to click the link to find out the basic information
(although of course it is useful to have such links for further detail).

Please can you add that information to future announce mails?

Thanks.


On 31 March 2017 at 15:26, Christofer Dutz <[hidden email]> wrote:

> Hi all,
>
>
>
> I am pleased to announce the release of Apache Flex BlazeDS 4.7.3.
>
>
>
> Apache Flex BlazeDS 4.7.3 is an update to 4.7.2 which adds a new
>
> blazeds-spring-boot-starter module for easily setting up a BlazeDS server
> with
>
> Spring Boot.
>
>
>
> It also provides Maven archetypes for easily creating new spring-boot
> project that
>
> make use of BlazeDS.
>
>
>
> We also did quite a lot of fine-tuning of the security default settings to
> make BlazeDS
>
> more secure.
>
>
>
> Starting with 4.7.3 BlazeDS Deserialization of XML is disabled completely
> per default
>
> but can easily be enabled in your services-config.xml:
>
>
>
>     <channels>
>
>         <channel-definition id="amf"
> class="mx.messaging.channels.AMFChannel">
>
>             <endpoint
> url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf "
>
>                       class="flex.messaging.endpoints.AMFEndpoint"/>
>
>             <properties>
>
>                 <serialization>
>
>                     <allow-xml>true</allow-xml>
>
>                 </serialization>
>
>             </properties>
>
>         </channel-definition>
>
>     </channels>
>
>
>
> Also, we now enable the ClassDeserializationValidator per default to only
> allow
>
> deserialization of whitelisted classes. BlazeDS internally comes with the
> following
>
> whitelist:
>
>
>
>     flex.messaging.io.amf.ASObject
>
>     flex.messaging.io.amf.SerializedObject
>
>     flex.messaging.io.ArrayCollection
>
>     flex.messaging.io.ArrayList
>
>     flex.messaging.messages.AcknowledgeMessage
>
>     flex.messaging.messages.AcknowledgeMessageExt
>
>     flex.messaging.messages.AsyncMessage
>
>     flex.messaging.messages.AsyncMessageExt
>
>     flex.messaging.messages.CommandMessage
>
>     flex.messaging.messages.CommandMessageExt
>
>     flex.messaging.messages.ErrorMessage
>
>     flex.messaging.messages.HTTPMessage
>
>     flex.messaging.messages.RemotingMessage
>
>     flex.messaging.messages.SOAPMessage
>
>     java.lang.Boolean
>
>     java.lang.Byte
>
>     java.lang.Character
>
>     java.lang.Double
>
>     java.lang.Float
>
>     java.lang.Integer
>
>     java.lang.Long
>
>     java.lang.Object
>
>     java.lang.Short
>
>     java.lang.String
>
>     java.util.ArrayList
>
>     java.util.Date
>
>     java.util.HashMap
>
>     org.w3c.dom.Document
>
>
>
> If you need to deserialize any other classes, be sure to register them in
> your
>
> services-config.xml:
>
>
>
>     <validators>
>
>         <validator
> class="flex.messaging.validators.ClassDeserializationValidator">
>
>             <properties>
>
>                 <allow-classes>
>
>                     <class name="org.mycoolproject.*"/>
>
>                     <class name="flex.messaging.messages.*"/>
>
>                     <class name="flex.messaging.io.amf.ASObject"/>
>
>                 </allow-classes>
>
>             </properties>
>
>         </validator>
>
>     </validators>
>
>
>
> (Beware, by manually providing a whitelist the default whitelist is
> disabled)
>
>
>
> Known Issues
>
> _____________
>
> FLEX-34648 Memory Leak occurred in AsyncMessage when sending a lot of
> messages
>
>
>
> Chris