用于RabbitMQ的Spring Boot可信软件包

Question

We're building a Spring Boot application (2.0.4-RELEASE) that receives messages via RabbitMQ. 我们正在构建一个Spring Boot应用程序（2.0.4-RELEASE），该应用程序通过RabbitMQ接收消息。 Hence the application.properties contains the rabbit related config: 因此， application.properties包含与Rabbit相关的配置：

spring.rabbitmq.addresses=****
spring.rabbitmq.username=****
spring.rabbitmq.password=****
spring.rabbitmq.listener.simple.concurrency=2
spring.rabbitmq.listener.simple.prefetch=5
spring.rabbitmq.listener.simple.retry.enabled=true
spring.rabbitmq.listener.simple.retry.max-attempts=5

Configuration: 组态：

@Bean
public TopicExchange fileUpdate() {
    return new TopicExchange("my.fancy.exchange", true, false);
}

@Bean
public Queue fileUpload() {
    return new Queue("myFancyQueue", true);
}

@Bean
public Binding bindingUpload(Queue queue, TopicExchange eventExchange) {
    return BindingBuilder.bind(queue).to(eventExchange).with("");
}

Message Consumer: 消息使用者：

@RabbitListener(queues = "myFancyQueue")
public void receive(Object message) {
    ...
}

When receiving a message of a specific type (eg __TypeId__: my.fancy.package.Clazz ) the following error is thrown: 收到特定类型的消息（例如__TypeId__: my.fancy.package.Clazz ）时，将引发以下错误：

Caused by: java.lang.IllegalArgumentException: The class 'my.fancy.package.Clazz' is not in the trusted packages: [java.util, java.lang]. 原因：java.lang.IllegalArgumentException：类'my.fancy.package.Clazz'不在受信任的程序包中：[java.util，java.lang]。 If you believe this class is safe to deserialize, please provide its name. 如果您认为该类别可以安全地反序列化，请提供其名称。 If the serialization is only done by a trusted source, you can also enable trust all (*). 如果序列化仅由受信任的源完成，则还可以启用全部信任（*）。

From what I've discovered so far activeMQ provides a configuration option for that through the application.properties as 到目前为止，我发现activeMQ通过application.properties为它提供了一个配置选项，如下所示：

spring.activemq.packages.trust-all=

or 要么

spring.activemq.packages.trusted=

but I can't find any similar option that would work for rabbitMQ. 但我找不到适用于RabbitMQ的任何类似选项。 So far I've been using a workaround that solves my problem but of course it would be great to have an option like that in the configuration file. 到目前为止，我一直在使用一种解决方法来解决我的问题，但是在配置文件中当然也可以有这样的选项。

My solution so far: 到目前为止，我的解决方案：

Adding to the configuration class: 添加到配置类：

@Bean
public MessageConverter jsonMessageConverter() {
    Jackson2JsonMessageConverter jsonMessageConverter = new Jackson2JsonMessageConverter(new ObjectMapper());
    jsonMessageConverter.setClassMapper(new ImporterClassMapper(FileUploadMessage.class));        
    return jsonMessageConverter;
}

@Bean
public RabbitTemplate rabbitTemplate(ConnectionFactory connectionFactory) {
    RabbitTemplate template = new RabbitTemplate(connectionFactory);
    template.setMessageConverter(jsonMessageConverter());
    return template;
}

And changing the message consumer to 并将消息使用者更改为

@Resource(name = "jsonMessageConverter")
private MessageConverter messageConverter;

@RabbitListener(queues = "${uploaded.files.queue}")
public void receive(Message message) {
    FileUploadMessage uploadMessage = (FileUploadMessage) messageConverter.fromMessage(message);
    ...
}

Plus adding a class mapper that allows unkown types to be imported and sets a default type to which messages should be cast to on import: 加上添加一个类映射器，该类映射器允许导入未知类型，并设置导入时将消息强制转换为的默认类型：

public class ImporterClassMapper implements ClassMapper, InitializingBean {

    private volatile Class<?> defaultType;

    public ImporterClassMapper(Class<?> defaultType) {
        this.defaultType = defaultType;
    }    

    @Override
    public void afterPropertiesSet() throws Exception {
        // nothing to do
    }

    @Override
    public void fromClass(Class<?> clazz, MessageProperties properties) {
        // avoid setting __TypeId__ header so consumers from other modules can implement their own DTOs
    }

    @Override
    public Class<?> toClass(MessageProperties properties) {
        return this.defaultType;
    }

    public void setClass(Class<?> type) {
        this.defaultType = type;
    }
}

Any advise on how to improve this solution? 对如何改进此解决方案有何建议？

Answer 1

I fixed the same error by setting trusted packages on the Spring AMQP ClassMapper being used. 我通过在使用的Spring AMQP ClassMapper上设置受信任的软件包来修复了相同的错误。

@Configuration
public class RabbitConfig {

    @Bean
    @Scope("prototype")
    public SimpleRabbitListenerContainerFactory rabbitListenerContainerFactory(SimpleRabbitListenerContainerFactory factory, ObjectMapper objectMapper) {
        factory.setMessageConverter(jsonToMapMessageConverter(objectMapper));
        return factory;
    }

    @Bean
    public MessageConverter jsonToMapMessageConverter(ObjectMapper objectMapper) {
        Jackson2JsonMessageConverter messageConverter = new ImplicitJsonMessageConverter(objectMapper);
        DefaultClassMapper classMapper = new DefaultClassMapper();
        classMapper.setTrustedPackages("*");
        classMapper.setDefaultType(Map.class);
        messageConverter.setClassMapper(classMapper);
        return messageConverter;
    }

    public static class ImplicitJsonMessageConverter extends Jackson2JsonMessageConverter {    
        public ImplicitJsonMessageConverter(ObjectMapper jsonObjectMapper) {
            super(jsonObjectMapper, "*");
        }    
        @Override
        public Object fromMessage(Message message) throws MessageConversionException {
            message.getMessageProperties().setContentType("application/json");
            return super.fromMessage(message);
        }
    }
}

用于RabbitMQ的Spring Boot可信软件包

问题描述

1 个解决方案

解决方案1
2 已采纳 2018-08-31 10:07:03

用于RabbitMQ的Spring Boot可信软件包

问题描述

1 个解决方案

解决方案1 2 已采纳 2018-08-31 10:07:03

解决方案1
2 已采纳 2018-08-31 10:07:03