You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@flex.apache.org by Christofer Dutz <ch...@c-ware.de> on 2017/03/31 14:03:51 UTC
[ANNOUNCE] Apache Flex BlazeDS 4.7.3
Hi all,
I am pleased to announce the release of Apache Flex BlazeDS 4.7.3.
Apache Flex BlazeDS 4.7.3 is an update to 4.7.2 which adds a new
blazeds-spring-boot-starter module for easily setting up a BlazeDS server with
Spring Boot.
It also provides Maven archetypes for easily creating new spring-boot project that
make use of BlazeDS.
We also did quite a lot of fine-tuning of the security default settings to make BlazeDS
more secure.
Starting with 4.7.3 BlazeDS Deserialization of XML is disabled completely per default
but can easily be enabled in your services-config.xml:
<channels>
<channel-definition id="amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf "
class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<serialization>
<allow-xml>true</allow-xml>
</serialization>
</properties>
</channel-definition>
</channels>
Also, we now enable the ClassDeserializationValidator per default to only allow
deserialization of whitelisted classes. BlazeDS internally comes with the following
whitelist:
flex.messaging.io.amf.ASObject
flex.messaging.io.amf.SerializedObject
flex.messaging.io.ArrayCollection
flex.messaging.io.ArrayList
flex.messaging.messages.AcknowledgeMessage
flex.messaging.messages.AcknowledgeMessageExt
flex.messaging.messages.AsyncMessage
flex.messaging.messages.AsyncMessageExt
flex.messaging.messages.CommandMessage
flex.messaging.messages.CommandMessageExt
flex.messaging.messages.ErrorMessage
flex.messaging.messages.HTTPMessage
flex.messaging.messages.RemotingMessage
flex.messaging.messages.SOAPMessage
java.lang.Boolean
java.lang.Byte
java.lang.Character
java.lang.Double
java.lang.Float
java.lang.Integer
java.lang.Long
java.lang.Object
java.lang.Short
java.lang.String
java.util.ArrayList
java.util.Date
java.util.HashMap
org.w3c.dom.Document
If you need to deserialize any other classes, be sure to register them in your
services-config.xml:
<validators>
<validator class="flex.messaging.validators.ClassDeserializationValidator">
<properties>
<allow-classes>
<class name="org.mycoolproject.*"/>
<class name="flex.messaging.messages.*"/>
<class name="flex.messaging.io.amf.ASObject"/>
</allow-classes>
</properties>
</validator>
</validators>
(Beware, by manually providing a whitelist the default whitelist is disabled)
Known Issues
_____________
FLEX-34648 Memory Leak occurred in AsyncMessage when sending a lot of messages
Chris