CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/c47cffca Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/c47cffca Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/c47cffca Branch: refs/heads/master Commit: c47cffcadabca0c588753555a386942184a33627 Parents: 94330f9 Author: Claus Ibsen <davscl...@apache.org> Authored: Thu Nov 12 11:28:17 2015 +0100 Committer: Claus Ibsen <davscl...@apache.org> Committed: Thu Nov 12 14:52:46 2015 +0100 ---------------------------------------------------------------------- .../apache/camel/http/common/DefaultHttpBinding.java | 8 ++++++-- .../apache/camel/component/http/HttpComponent.java | 12 ++++++++++++ .../org/apache/camel/component/http/HttpProducer.java | 14 ++++++++++++-- 3 files changed, 30 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java index 6752f3b..9e22665 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java @@ -89,7 +89,9 @@ public class DefaultHttpBinding implements HttpBinding { public DefaultHttpBinding(HttpCommonEndpoint endpoint) { this.headerFilterStrategy = endpoint.getHeaderFilterStrategy(); this.transferException = endpoint.isTransferException(); - this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject(); + if (endpoint.getComponent() != null) { + this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject(); + } } public void readRequest(HttpServletRequest request, HttpMessage message) { @@ -153,6 +155,7 @@ public class DefaultHttpBinding implements HttpBinding { // if content type is serialized java object, then de-serialize it to a Java object if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) { + // only deserialize java if allowed if (allowJavaSerializedObject || isTransferException()) { try { InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body); @@ -164,7 +167,8 @@ public class DefaultHttpBinding implements HttpBinding { throw new RuntimeCamelException("Cannot deserialize body to Java object", e); } } else { - throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed"); + // set empty body + message.setBody(null); } } http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java ---------------------------------------------------------------------- diff --git a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java index 3599c64..104ff84 100644 --- a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java +++ b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java @@ -337,4 +337,16 @@ public class HttpComponent extends HttpCommonComponent { // need to override and call super for component docs super.setHttpConfiguration(httpConfiguration); } + + /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + @Override + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + // need to override and call super for component docs + super.setAllowJavaSerializedObject(allowJavaSerializedObject); + } } http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java ---------------------------------------------------------------------- diff --git a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java index cbbd97c..c0c8809 100644 --- a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java +++ b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java @@ -32,6 +32,7 @@ import java.util.Map; import org.apache.camel.CamelExchangeException; import org.apache.camel.Exchange; import org.apache.camel.Message; +import org.apache.camel.RuntimeCamelException; import org.apache.camel.component.file.GenericFile; import org.apache.camel.converter.stream.CachedOutputStream; import org.apache.camel.http.common.HttpConstants; @@ -280,7 +281,7 @@ public class HttpProducer extends DefaultProducer { * @return the response either as a stream, or as a deserialized java object * @throws IOException can be thrown */ - protected static Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { + protected Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { InputStream is = method.getResponseBodyAsStream(); if (is == null) { return null; @@ -304,7 +305,13 @@ public class HttpProducer extends DefaultProducer { // if content type is a serialized java object then de-serialize it back to a Java object if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) { - return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + // only deserialize java if allowed + if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) { + return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + } else { + // empty response + return null; + } } else { InputStream response = null; if (!ignoreResponseBody) { @@ -418,6 +425,9 @@ public class HttpProducer extends DefaultProducer { String contentType = ExchangeHelper.getContentType(exchange); if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) { + if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) { + throw new CamelExchangeException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange); + } // serialized java object Serializable obj = in.getMandatoryBody(Serializable.class); // write object to output stream
