CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/c558f30a Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/c558f30a Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/c558f30a Branch: refs/heads/camel-2.16.x Commit: c558f30a6d3820faa3d8c4ad5e54448914ec60d0 Parents: 735ee02 Author: Claus Ibsen <davscl...@apache.org> Authored: Thu Nov 12 14:52:36 2015 +0100 Committer: Claus Ibsen <davscl...@apache.org> Committed: Thu Nov 12 14:53:31 2015 +0100 ---------------------------------------------------------------------- .../apache/camel/component/ahc/AhcEndpoint.java | 3 + .../camel/http/common/DefaultHttpBinding.java | 8 ++ .../apache/camel/http/common/HttpBinding.java | 24 +++++ .../camel/http/common/HttpCommonEndpoint.java | 4 +- .../jetty/CamelContinuationServlet.java | 9 ++ .../jetty/DefaultJettyHttpBinding.java | 25 ++++- .../camel/component/jetty/JettyHttpBinding.java | 24 +++++ .../component/jetty/JettyHttpEndpoint.java | 3 + .../component/jetty/JettyHttpProducer.java | 25 +++-- .../component/jetty9/JettyHttpEndpoint9.java | 3 + .../jetty/javabody/HttpJavaBodyTest.java | 103 +++++++++++++++++++ .../JettyHttpProducerJavaBodyTest.java | 12 ++- .../component/sparkrest/SparkConfiguration.java | 3 + 13 files changed, 228 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java ---------------------------------------------------------------------- diff --git a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java index 9790a73..eb42d0a 100644 --- a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java +++ b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java @@ -179,6 +179,9 @@ public class AhcEndpoint extends DefaultEndpoint implements HeaderFilterStrategy * in the response as a application/x-java-serialized-object content type (for example using Jetty or Servlet Camel components). * On the producer side the exception will be deserialized and thrown as is, instead of the AhcOperationFailedException. * The caused exception is required to be serialized. + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. */ public void setTransferException(boolean transferException) { this.transferException = transferException; http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java index 9e22665..04f5851 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java @@ -531,6 +531,14 @@ public class DefaultHttpBinding implements HttpBinding { this.transferException = transferException; } + public boolean isAllowJavaSerializedObject() { + return allowJavaSerializedObject; + } + + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + this.allowJavaSerializedObject = allowJavaSerializedObject; + } + public HeaderFilterStrategy getHeaderFilterStrategy() { return headerFilterStrategy; } http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java index d76ba10..9402301 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java @@ -118,10 +118,21 @@ public interface HttpBinding { * serialized in the response as a application/x-java-serialized-object content type (for example using Jetty or * Servlet Camel components). On the producer side the exception will be deserialized and thrown as is, * instead of the HttpOperationFailedException. The caused exception is required to be serialized. + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. */ boolean isTransferException(); /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + boolean isAllowJavaSerializedObject(); + + /** * Whether to eager check whether the HTTP requests has content if the content-length header is 0 or not present. * This can be turned on in case HTTP clients do not send streamed data. */ @@ -138,10 +149,23 @@ public interface HttpBinding { * serialized in the response as a application/x-java-serialized-object content type (for example using Jetty or * Servlet Camel components). On the producer side the exception will be deserialized and thrown as is, * instead of the HttpOperationFailedException. The caused exception is required to be serialized. + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. */ void setTransferException(boolean transferException); /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + * + * @param allowJavaSerializedObject <tt>true</tt> to allow serializing java objects + */ + void setAllowJavaSerializedObject(boolean allowJavaSerializedObject); + + /** * Gets the header filter strategy * * @return the strategy http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java ---------------------------------------------------------------------- diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java index e3ad200..19cfcc1 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java @@ -19,7 +19,6 @@ package org.apache.camel.http.common; import java.net.URI; import java.net.URISyntaxException; -import org.apache.camel.Component; import org.apache.camel.impl.DefaultEndpoint; import org.apache.camel.spi.HeaderFilterStrategy; import org.apache.camel.spi.HeaderFilterStrategyAware; @@ -142,6 +141,9 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head binding = new DefaultHttpBinding(); binding.setHeaderFilterStrategy(getHeaderFilterStrategy()); binding.setTransferException(isTransferException()); + if (getComponent() != null) { + binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + } binding.setEagerCheckContentAvailable(isEagerCheckContentAvailable()); } return binding; http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java index e8a35c1..59660ab 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java @@ -28,6 +28,7 @@ import org.apache.camel.AsyncCallback; import org.apache.camel.Exchange; import org.apache.camel.ExchangePattern; import org.apache.camel.http.common.CamelServlet; +import org.apache.camel.http.common.HttpConstants; import org.apache.camel.http.common.HttpConsumer; import org.apache.camel.http.common.HttpHelper; import org.apache.camel.http.common.HttpMessage; @@ -85,6 +86,14 @@ public class CamelContinuationServlet extends CamelServlet { response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); return; } + + // we do not support java serialized objects unless explicit enabled + String contentType = request.getContentType(); + if (HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType) && !consumer.getEndpoint().getComponent().isAllowJavaSerializedObject()) { + System.out.println("415 miser !!!"); + response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); + return; + } final Exchange result = (Exchange) request.getAttribute(EXCHANGE_ATTRIBUTE_NAME); if (result == null) { http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java index 8e8cb2c..9bbb9aa 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java @@ -46,6 +46,7 @@ public class DefaultJettyHttpBinding implements JettyHttpBinding { private HeaderFilterStrategy httpProtocolHeaderFilterStrategy = new HttpProtocolHeaderFilterStrategy(); private boolean throwExceptionOnFailure; private boolean transferException; + private boolean allowJavaSerializedObject; private String okStatusCodeRange; public DefaultJettyHttpBinding() { @@ -101,6 +102,14 @@ public class DefaultJettyHttpBinding implements JettyHttpBinding { this.transferException = transferException; } + public boolean isAllowJavaSerializedObject() { + return allowJavaSerializedObject; + } + + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + this.allowJavaSerializedObject = allowJavaSerializedObject; + } + public String getOkStatusCodeRange() { return okStatusCodeRange; } @@ -183,11 +192,17 @@ public class DefaultJettyHttpBinding implements JettyHttpBinding { // if content type is serialized java object, then de-serialize it to a Java object if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) { - try { - InputStream is = exchange.getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, httpExchange.getResponseContentBytes()); - return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); - } catch (Exception e) { - throw new RuntimeCamelException("Cannot deserialize body to Java object", e); + // only deserialize java if allowed + if (isAllowJavaSerializedObject() || isTransferException()) { + try { + InputStream is = exchange.getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, httpExchange.getResponseContentBytes()); + return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + } catch (Exception e) { + throw new RuntimeCamelException("Cannot deserialize body to Java object", e); + } + } else { + // empty body + return null; } } else { // just grab the raw content body http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java index ec3d006..a5deb80 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java @@ -70,6 +70,9 @@ public interface JettyHttpBinding { /** * Whether to transfer exception back as a serialized java object * if processing failed due to an exception + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. * * @param transferException <tt>true</tt> to transfer exception */ @@ -78,12 +81,33 @@ public interface JettyHttpBinding { /** * Whether to transfer exception back as a serialized java object * if processing failed due to an exception + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. * * @return <tt>true</tt> to transfer exception */ boolean isTransferException(); /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + * + * @param allowJavaSerializedObject <tt>true</tt> to allow serializing java objects + */ + void setAllowJavaSerializedObject(boolean allowJavaSerializedObject); + + /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + boolean isAllowJavaSerializedObject(); + + /** * The status codes which is considered a success response. The values are inclusive. The range must be defined as from-to with the dash included. * <p/> * The default range is <tt>200-299</tt> http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java index 9ba1c6b..bacaa7d 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java @@ -192,6 +192,9 @@ public abstract class JettyHttpEndpoint extends HttpCommonEndpoint { jettyBinding.setHeaderFilterStrategy(getHeaderFilterStrategy()); jettyBinding.setThrowExceptionOnFailure(isThrowExceptionOnFailure()); jettyBinding.setTransferException(isTransferException()); + if (getComponent() != null) { + jettyBinding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + } jettyBinding.setOkStatusCodeRange(getOkStatusCodeRange()); } return jettyBinding; http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java index e3089c3..10f7186 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java @@ -30,9 +30,9 @@ import org.apache.camel.AsyncProcessor; import org.apache.camel.Endpoint; import org.apache.camel.Exchange; import org.apache.camel.Message; +import org.apache.camel.RuntimeCamelException; import org.apache.camel.http.common.HttpConstants; import org.apache.camel.http.common.HttpHelper; -import org.apache.camel.http.common.HttpMethods; import org.apache.camel.impl.DefaultAsyncProducer; import org.apache.camel.spi.HeaderFilterStrategy; import org.apache.camel.util.ExchangeHelper; @@ -138,17 +138,20 @@ public class JettyHttpProducer extends DefaultAsyncProducer implements AsyncProc if (contentType != null) { httpExchange.setRequestContentType(contentType); } - if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) { - // serialized java object - Serializable obj = exchange.getIn().getMandatoryBody(Serializable.class); - // write object to output stream - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - try { - HttpHelper.writeObjectToStream(bos, obj); - httpExchange.setRequestContent(bos.toByteArray()); - } finally { - IOHelper.close(bos, "body", LOG); + if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) { + // serialized java object + Serializable obj = exchange.getIn().getMandatoryBody(Serializable.class); + // write object to output stream + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try { + HttpHelper.writeObjectToStream(bos, obj); + httpExchange.setRequestContent(bos.toByteArray()); + } finally { + IOHelper.close(bos, "body", LOG); + } + } else { + throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed"); } } else { Object body = exchange.getIn().getBody(); http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java b/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java index 724a736..b6f46dd 100644 --- a/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java +++ b/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java @@ -40,6 +40,9 @@ public class JettyHttpEndpoint9 extends JettyHttpEndpoint { if (this.binding == null) { this.binding = new AttachmentHttpBinding(); this.binding.setTransferException(isTransferException()); + if (getComponent() != null) { + this.binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + } this.binding.setHeaderFilterStrategy(getHeaderFilterStrategy()); } return this.binding; http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/javabody/HttpJavaBodyTest.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/javabody/HttpJavaBodyTest.java b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/javabody/HttpJavaBodyTest.java index 9d9ca1b..5eb566f 100644 --- a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/javabody/HttpJavaBodyTest.java +++ b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/javabody/HttpJavaBodyTest.java @@ -16,11 +16,16 @@ */ package org.apache.camel.component.jetty.javabody; +import org.apache.camel.CamelExecutionException; import org.apache.camel.Exchange; import org.apache.camel.Processor; import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.component.http.HttpComponent; import org.apache.camel.component.jetty.BaseJettyTest; +import org.apache.camel.http.common.HttpCommonComponent; import org.apache.camel.http.common.HttpConstants; +import org.apache.camel.http.common.HttpOperationFailedException; +import org.junit.Ignore; import org.junit.Test; /** @@ -34,7 +39,14 @@ public class HttpJavaBodyTest extends BaseJettyTest { } @Test + @Ignore public void testHttpSendJavaBodyAndReceiveString() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + + HttpComponent http = context.getComponent("http", HttpComponent.class); + http.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -65,7 +77,14 @@ public class HttpJavaBodyTest extends BaseJettyTest { } @Test + @Ignore public void testHttpSendJavaBodyAndReceiveJavaBody() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + + HttpComponent http = context.getComponent("http", HttpComponent.class); + http.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -97,7 +116,14 @@ public class HttpJavaBodyTest extends BaseJettyTest { } @Test + @Ignore public void testHttpSendStringAndReceiveJavaBody() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + + HttpComponent http = context.getComponent("http", HttpComponent.class); + http.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -123,4 +149,81 @@ public class HttpJavaBodyTest extends BaseJettyTest { assertEquals("Camel rocks", reply.getName()); } + @Test + public void testNotAllowedReceive() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(false); + + HttpComponent http = context.getComponent("http", HttpComponent.class); + http.setAllowJavaSerializedObject(true); + + context.addRoutes(new RouteBuilder() { + @Override + public void configure() throws Exception { + onException(Exception.class).to("mock:error"); + + from("jetty:http://localhost:{{port}}/myapp/myservice";) + .process(new Processor() { + public void process(Exchange exchange) throws Exception { + String body = exchange.getIn().getBody(String.class); + assertNotNull(body); + assertEquals("Hello World", body); + + MyCoolBean reply = new MyCoolBean(456, "Camel rocks"); + exchange.getOut().setBody(reply); + exchange.getOut().setHeader(Exchange.CONTENT_TYPE, HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT); + } + }); + } + }); + context.start(); + + try { + template.requestBody("http://localhost:{{port}}/myapp/myservice";, "Hello World", MyCoolBean.class); + fail("Should fail"); + } catch (Exception e) { + // expected + } + } + + @Test + @Ignore + public void testNotAllowed() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(false); + + HttpComponent http = context.getComponent("http", HttpComponent.class); + http.setAllowJavaSerializedObject(true); + + context.addRoutes(new RouteBuilder() { + @Override + public void configure() throws Exception { + from("jetty:http://localhost:{{port}}/myapp/myservice";) + .process(new Processor() { + public void process(Exchange exchange) throws Exception { + String body = exchange.getIn().getBody(String.class); + assertNotNull(body); + assertEquals("Hello World", body); + + MyCoolBean reply = new MyCoolBean(456, "Camel rocks"); + exchange.getOut().setBody(reply); + exchange.getOut().setHeader(Exchange.CONTENT_TYPE, HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT); + } + }); + } + }); + context.start(); + + MyCoolBean cool = new MyCoolBean(123, "Camel"); + + try { + template.requestBodyAndHeader("http://localhost:{{port}}/myapp/myservice";, cool, + Exchange.CONTENT_TYPE, HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT, MyCoolBean.class); + fail("Should fail"); + } catch (CamelExecutionException e) { + HttpOperationFailedException cause = assertIsInstanceOf(HttpOperationFailedException.class, e.getCause()); + assertEquals(415, cause.getStatusCode()); + } + } + } http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/jettyproducer/JettyHttpProducerJavaBodyTest.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/jettyproducer/JettyHttpProducerJavaBodyTest.java b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/jettyproducer/JettyHttpProducerJavaBodyTest.java index 6fa1c39..a98f465 100644 --- a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/jettyproducer/JettyHttpProducerJavaBodyTest.java +++ b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/jettyproducer/JettyHttpProducerJavaBodyTest.java @@ -20,6 +20,7 @@ import org.apache.camel.Exchange; import org.apache.camel.Processor; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.jetty.BaseJettyTest; +import org.apache.camel.http.common.HttpCommonComponent; import org.apache.camel.http.common.HttpConstants; import org.junit.Test; @@ -35,6 +36,9 @@ public class JettyHttpProducerJavaBodyTest extends BaseJettyTest { @Test public void testHttpSendJavaBodyAndReceiveString() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -66,6 +70,9 @@ public class JettyHttpProducerJavaBodyTest extends BaseJettyTest { @Test public void testHttpSendJavaBodyAndReceiveJavaBody() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -98,6 +105,9 @@ public class JettyHttpProducerJavaBodyTest extends BaseJettyTest { @Test public void testHttpSendStringAndReceiveJavaBody() throws Exception { + HttpCommonComponent jetty = context.getComponent("jetty", HttpCommonComponent.class); + jetty.setAllowJavaSerializedObject(true); + context.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { @@ -117,7 +127,7 @@ public class JettyHttpProducerJavaBodyTest extends BaseJettyTest { }); context.start(); - MyCoolBean reply = template.requestBody("http://localhost:{{port}}/myapp/myservice";, "Hello World", MyCoolBean.class); + MyCoolBean reply = template.requestBody("jetty:http://localhost:{{port}}/myapp/myservice";, "Hello World", MyCoolBean.class); assertEquals(456, reply.getId()); assertEquals("Camel rocks", reply.getName()); http://git-wip-us.apache.org/repos/asf/camel/blob/c558f30a/components/camel-spark-rest/src/main/java/org/apache/camel/component/sparkrest/SparkConfiguration.java ---------------------------------------------------------------------- diff --git a/components/camel-spark-rest/src/main/java/org/apache/camel/component/sparkrest/SparkConfiguration.java b/components/camel-spark-rest/src/main/java/org/apache/camel/component/sparkrest/SparkConfiguration.java index ac1e040..ef795bc 100644 --- a/components/camel-spark-rest/src/main/java/org/apache/camel/component/sparkrest/SparkConfiguration.java +++ b/components/camel-spark-rest/src/main/java/org/apache/camel/component/sparkrest/SparkConfiguration.java @@ -80,6 +80,9 @@ public class SparkConfiguration { /** * If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized * in the response as a application/x-java-serialized-object content type. + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. */ public void setTransferException(boolean transferException) { this.transferException = transferException;
