[05/13] camel git commit: CAMEL-9309: Make it easier to turn on|off java transport over http

davsclaus Thu, 12 Nov 2015 11:44:04 -0800

CAMEL-9309: Make it easier to turn on|off java transport over http

Conflicts:
        
components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java



Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/4f065fe0
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/4f065fe0
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/4f065fe0

Branch: refs/heads/camel-2.15.x
Commit: 4f065fe07c1dcd7b451e6005a6dc8e96d77da43e
Parents: 13e43c1
Author: Claus Ibsen <davscl...@apache.org>
Authored: Thu Nov 12 15:06:32 2015 +0100
Committer: Claus Ibsen <davscl...@apache.org>
Committed: Thu Nov 12 18:54:52 2015 +0100

----------------------------------------------------------------------
 .../apache/camel/component/http4/HttpComponent.java | 16 ++++++++++++++++
 .../apache/camel/component/http4/HttpEndpoint.java  |  6 ++++++
 .../apache/camel/component/http4/HttpProducer.java  | 13 +++++++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/4f065fe0/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
----------------------------------------------------------------------
diff --git 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
index b5fc46e..176ada5 100644
--- 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
+++ 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
@@ -66,6 +66,7 @@ public class HttpComponent extends 
HeaderFilterStrategyComponent {
     protected SSLContextParameters sslContextParameters;
     protected X509HostnameVerifier x509HostnameVerifier = new 
BrowserCompatHostnameVerifier();
     protected CookieStore cookieStore;
+    protected boolean allowJavaSerializedObject;
 
     // options to the default created http connection manager
     protected int maxTotalConnections = 200;
@@ -377,6 +378,21 @@ public class HttpComponent extends 
HeaderFilterStrategyComponent {
         this.httpBinding = httpBinding;
     }
 
+    /**
+     * Whether to allow java serialization when a request uses 
context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that 
Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    public void setAllowJavaSerializedObject(boolean 
allowJavaSerializedObject) {
+        // need to override and call super for component docs
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
     public HttpContext getHttpContext() {
         return httpContext;
     }

http://git-wip-us.apache.org/repos/asf/camel/blob/4f065fe0/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
----------------------------------------------------------------------
diff --git 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
index bcd22b5..f975698 100644
--- 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
+++ 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
@@ -19,6 +19,7 @@ package org.apache.camel.component.http4;
 import java.net.URI;
 import java.net.URISyntaxException;
 
+import org.apache.camel.Component;
 import org.apache.camel.Consumer;
 import org.apache.camel.PollingConsumer;
 import org.apache.camel.Processor;
@@ -113,6 +114,11 @@ public class HttpEndpoint extends DefaultEndpoint 
implements HeaderFilterStrateg
         this.clientConnectionManager = clientConnectionManager;
     }
 
+    @Override
+    public HttpComponent getComponent() {
+        return (HttpComponent) super.getComponent();
+    }
+
     public Producer createProducer() throws Exception {
         return new HttpProducer(this);
     }

http://git-wip-us.apache.org/repos/asf/camel/blob/4f065fe0/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
----------------------------------------------------------------------
diff --git 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
index 612c6ce..77cbd5a 100644
--- 
a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
+++ 
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
@@ -287,7 +287,7 @@ public class HttpProducer extends DefaultProducer {
      * @return the response either as a stream, or as a deserialized java 
object
      * @throws IOException can be thrown
      */
-    protected static Object extractResponseBody(HttpRequestBase httpRequest, 
HttpResponse httpResponse, Exchange exchange) throws IOException, 
ClassNotFoundException {
+    protected Object extractResponseBody(HttpRequestBase httpRequest, 
HttpResponse httpResponse, Exchange exchange) throws IOException, 
ClassNotFoundException {
         HttpEntity entity = httpResponse.getEntity();
         if (entity == null) {
             return null;
@@ -315,7 +315,13 @@ public class HttpProducer extends DefaultProducer {
         InputStream response = doExtractResponseBodyAsStream(is, exchange);
         // if content type is a serialized java object then de-serialize it 
back to a Java object
         if (contentType != null && 
contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
-            return HttpHelper.deserializeJavaObjectFromStream(response);
+            // only deserialize java if allowed
+            if (getEndpoint().getComponent().isAllowJavaSerializedObject() || 
getEndpoint().isTransferException()) {
+                return HttpHelper.deserializeJavaObjectFromStream(response);
+            } else {
+                // empty response
+                return null;
+            }
         } else {
             return response;
         }
@@ -424,6 +430,9 @@ public class HttpProducer extends DefaultProducer {
                     }
 
                     if (contentTypeString != null && 
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString)) {
+                        if 
(!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+                            throw new CamelExchangeException("Content-type " + 
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", 
exchange);
+                        }
                         // serialized java object
                         Serializable obj = 
in.getMandatoryBody(Serializable.class);
                         // write object to output stream

[05/13] camel git commit: CAMEL-9309: Make it easier to turn on|off java transport over http

Reply via email to