Limit StreamMessage deserialization #135
Description
StreamMessage should use the same "white list" mechanism as ObjectMessage to avoid some arbitrary code execution on deserialization.
Even though StreamMessage is supposed to handle only primitive types, it is still to possible to send a message that contains an arbitrary serializable instance. The consuming application application may then execute code from this class on deserialization.
The fix consists in using the list of trusted packages that can be set at the connection factory level.