Matt Pavlovich

There is a value in defense in depth. Attackers are scanning source code trees looking for unprotected deserialization and then crafting entry points. While the config is stored on a...

I agree w/ @cshannon here. There should be a setting to support honoring a valid list of package names -- there could even be an out-of-the-box default end-users could use...

What is the status of unicode support in JAXB?

Possible approach -- ship a default XmlAdapter ``` javax.xml.bind.annotation.adapters.UnicodeStringAdapter implements XmlAdapter ```

dtd-parser rather ``` [INFO] +- org.glassfish.jaxb:jaxb-xjc:jar:3.0.2:compile [INFO] | +- org.glassfish.jaxb:xsom:jar:3.0.2:compile [INFO] | | \- com.sun.xml.bind.external:relaxng-datatype:jar:3.0.2:compile [INFO] | +- org.glassfish.jaxb:codemodel:jar:3.0.2:compile [INFO] | +- com.sun.xml.bind.external:rngom:jar:3.0.2:compile [INFO] | +- com.sun.xml.dtd-parser:dtd-parser:jar:1.4.5:compile [INFO] | \-...

Hmm.. looks like jaxb-ri/xjc has a direct dependency on both dtd-parser and istack-common-tools ``` ... com.sun.xml.dtd-parser dtd-parser com.sun.istack istack-commons-tools ... ``` ref: https://github.com/eclipse-ee4j/jaxb-ri/blob/57ebae184cfd23497f8ec502cb3283e5bac0768c/jaxb-ri/xjc/pom.xml#L86

My view on BOM use cases: 1. jaxb-api, jaxb-impl users (need the JAXB API, JAXB impl and transitive deps for doing marshal/unmarshal of XML Java. 2. xjc schema-to-code generating users....

@wilkinsona Thanks for the ping. Yes, I plan to get this wrapped up. What is the timeframe to make it in the next Spring Boot release?

@snicoll I have the WIP PR at about 80% and I'll have time to wrap this up soon. A couple ActiveMQ upstream releases are wrapping up, so I can turn...

What is a real-world use case for the proposed methods being added at the broker level?