CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/515c8221 Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/515c8221 Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/515c8221 Branch: refs/heads/camel-2.16.x Commit: 515c822148d52de9e7cdf4f6b01f7b793f2f273f Parents: c349d13 Author: Claus Ibsen <davscl...@apache.org> Authored: Thu Nov 12 11:18:36 2015 +0100 Committer: Claus Ibsen <davscl...@apache.org> Committed: Thu Nov 12 14:53:21 2015 +0100 ---------------------------------------------------------------------- .../camel/http/common/DefaultHttpBinding.java | 38 ++++++++++++-------- .../camel/http/common/HttpCommonComponent.java | 15 ++++++++ .../camel/http/common/HttpCommonEndpoint.java | 23 +++++++++--- 3 files changed, 58 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/515c8221/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java index aa6c1e7..6752f3b 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java @@ -74,6 +74,7 @@ public class DefaultHttpBinding implements HttpBinding { private boolean useReaderForPayload; private boolean eagerCheckContentAvailable; private boolean transferException; + private boolean allowJavaSerializedObject; private HeaderFilterStrategy headerFilterStrategy = new HttpHeaderFilterStrategy(); public DefaultHttpBinding() { @@ -88,6 +89,7 @@ public class DefaultHttpBinding implements HttpBinding { public DefaultHttpBinding(HttpCommonEndpoint endpoint) { this.headerFilterStrategy = endpoint.getHeaderFilterStrategy(); this.transferException = endpoint.isTransferException(); + this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject(); } public void readRequest(HttpServletRequest request, HttpMessage message) { @@ -151,14 +153,18 @@ public class DefaultHttpBinding implements HttpBinding { // if content type is serialized java object, then de-serialize it to a Java object if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) { - try { - InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body); - Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext()); - if (object != null) { - message.setBody(object); + if (allowJavaSerializedObject || isTransferException()) { + try { + InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body); + Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext()); + if (object != null) { + message.setBody(object); + } + } catch (Exception e) { + throw new RuntimeCamelException("Cannot deserialize body to Java object", e); } - } catch (Exception e) { - throw new RuntimeCamelException("Cannot deserialize body to Java object", e); + } else { + throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed"); } } @@ -358,13 +364,17 @@ public class DefaultHttpBinding implements HttpBinding { // if content type is serialized Java object, then serialize and write it to the response String contentType = message.getHeader(Exchange.CONTENT_TYPE, String.class); if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) { - try { - Object object = message.getMandatoryBody(Serializable.class); - HttpHelper.writeObjectToServletResponse(response, object); - // object is written so return - return; - } catch (InvalidPayloadException e) { - throw new IOException(e); + if (allowJavaSerializedObject || isTransferException()) { + try { + Object object = message.getMandatoryBody(Serializable.class); + HttpHelper.writeObjectToServletResponse(response, object); + // object is written so return + return; + } catch (InvalidPayloadException e) { + throw new IOException(e); + } + } else { + throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed"); } } http://git-wip-us.apache.org/repos/asf/camel/blob/515c8221/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java index 711a878..189c269 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java @@ -22,6 +22,7 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent protected HttpBinding httpBinding; protected HttpConfiguration httpConfiguration; + protected boolean allowJavaSerializedObject; public HttpCommonComponent(Class<? extends HttpCommonEndpoint> endpointClass) { super(endpointClass); @@ -72,4 +73,18 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent this.httpConfiguration = httpConfiguration; } + public boolean isAllowJavaSerializedObject() { + return allowJavaSerializedObject; + } + + /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + this.allowJavaSerializedObject = allowJavaSerializedObject; + } + } http://git-wip-us.apache.org/repos/asf/camel/blob/515c8221/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java index c233e1f..e3ad200 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java @@ -19,6 +19,7 @@ package org.apache.camel.http.common; import java.net.URI; import java.net.URISyntaxException; +import org.apache.camel.Component; import org.apache.camel.impl.DefaultEndpoint; import org.apache.camel.spi.HeaderFilterStrategy; import org.apache.camel.spi.HeaderFilterStrategyAware; @@ -69,8 +70,12 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head int proxyPort; @UriParam(label = "producer", enums = "Basic,Digest,NTLM", description = "Authentication method for proxy, either as Basic, Digest or NTLM.") String authMethodPriority; - @UriParam(description = "Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server." - + " This allows you to get all responses regardless of the HTTP status code.") + @UriParam(description = "If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized" + + " in the response as a application/x-java-serialized-object content type." + + " On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException." + + " The caused exception is required to be serialized." + + " This is by default turned off. If you enable this then be aware that Java will deserialize the incoming" + + " data from the request to Java and that can be a potential security risk.") boolean transferException; @UriParam(label = "consumer", description = "Specifies whether to enable HTTP TRACE for this Jetty consumer. By default TRACE is turned off.") @@ -113,6 +118,11 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head component.disconnect(consumer); } + @Override + public HttpCommonComponent getComponent() { + return (HttpCommonComponent) super.getComponent(); + } + public boolean isLenientProperties() { // true to allow dynamic URI options to be configured and passed to external system for eg. the HttpProducer return true; @@ -291,8 +301,13 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head } /** - * Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server. - * This allows you to get all responses regardless of the HTTP status code. + * If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized + * in the response as a application/x-java-serialized-object content type. + * On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException. + * The caused exception is required to be serialized. + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. */ public void setTransferException(boolean transferException) { this.transferException = transferException;
