+

Search Tips | Advanced Search

Allowlisting in IBM MQ classes for JMS

Java object serialization and deserialization mechanism has been identified as a potential security risk. Allowlisting in IBM MQ classes for JMS provides some protection against some serialization risks.

Note: Wherever possible, the term allowlist has replaced the term whitelist.

The Java object serialization and deserialization mechanism has been identified as a potential security risk because deserialization instantiates arbitrary Java objects, where there is the potential for maliciously sent data to cause various problems. One notable application of serialization is in Java Message Service (JMS) ObjectMessages that use serialization to encapsulate and transfer arbitrary objects.

Serialization allowlisting is a potential mitigation against some of the risks that serialization poses. By explicitly specifying which classes can be encapsulated in, and extracted from, ObjectMessages, allowlisting provides some protection against some serialization risks.


Allowlisting in IBM MQ classes for JMS

See:

  • Allowlisting concepts
    In IBM MQ classes for JMS, support for allowlisting of classes in the implementation of the JMS ObjectMessage interface provides a potential mitigation against some of the security risks that potentially relate to the Java object serialization and deserialization mechanism.
  • Set up and using a JMS allowlist
    This information tells you how an allowlist works, and how you set one up using the functionality contained in the IBM MQ classes for JMS to generate an allowlist file, containing a list of the types of ObjectMessages that an application can process.
  • Allowlisting in WebSphere Application Server
    How we use IBM MQ classes for JMS allowlisting in WebSphere Application Server.

Parent topic: Use IBM MQ classes for JMS


Related concepts

Last updated: 2020-10-04