[01/13] camel git commit: CAMEL-9309: Make it easier to turn on|off java transport over http

Thu, 12 Nov 2015 11:44:15 -0800 

Repository: camel
Updated Branches:
  refs/heads/camel-2.15.x ae2fde0f3 -> 23655fe0c
  refs/heads/camel-2.16.x 231a462a1 -> c703479f5
  refs/heads/master d1b4e0802 -> 5ea0a6f6c


CAMEL-9309: Make it easier to turn on|off java transport over http


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/349109b0
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/349109b0
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/349109b0

Branch: refs/heads/camel-2.15.x
Commit: 349109b0834764560f0be69eb74f43a16bd220b0
Parents: ae2fde0
Author: Claus Ibsen <davscl...@apache.org>
Authored: Thu Nov 12 11:05:30 2015 +0100
Committer: Claus Ibsen <davscl...@apache.org>
Committed: Thu Nov 12 18:34:36 2015 +0100

----------------------------------------------------------------------
 .../camel/component/ahc/AhcComponent.java       | 15 +++++
 .../camel/component/ahc/DefaultAhcBinding.java  | 12 +++-
 .../ahc/javabody/AhcProduceJavaBodyTest.java    | 70 ++++++++++++++++++++
 3 files changed, 95 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/349109b0/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
----------------------------------------------------------------------
diff --git 
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
 
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
index 9077b23..75b0015 100644
--- 
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
+++ 
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
@@ -47,6 +47,7 @@ public class AhcComponent extends 
HeaderFilterStrategyComponent {
     private AsyncHttpClientConfig clientConfig;
     private AhcBinding binding;
     private SSLContextParameters sslContextParameters;
+    private boolean allowJavaSerializedObject;
 
     public AhcComponent() {
         super(AhcEndpoint.class);
@@ -164,6 +165,20 @@ public class AhcComponent extends 
HeaderFilterStrategyComponent {
         this.sslContextParameters = sslContextParameters;
     }
 
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
+    /**
+     * Whether to allow java serialization when a request uses 
context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that 
Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    public void setAllowJavaSerializedObject(boolean 
allowJavaSerializedObject) {
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
     protected String createAddressUri(String uri, String remaining) {
         return remaining;
     }

http://git-wip-us.apache.org/repos/asf/camel/blob/349109b0/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
----------------------------------------------------------------------
diff --git 
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
 
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
index 8c57cd9..7f46983 100644
--- 
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
+++ 
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
@@ -126,6 +126,11 @@ public class DefaultAhcBinding implements AhcBinding {
                 Object data = in.getBody();
                 if (data != null) {
                     if (contentType != null && 
AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
+
+                        if 
(!endpoint.getComponent().isAllowJavaSerializedObject()) {
+                            throw new CamelExchangeException("Content-type " + 
AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
+                        }
+
                         // serialized java object
                         Serializable obj = 
in.getMandatoryBody(Serializable.class);
                         // write object to output stream
@@ -227,9 +232,12 @@ public class DefaultAhcBinding implements AhcBinding {
         }
 
         Object body = is;
-        // if content type is a serialized java object then de-serialize it 
back to a Java object
+        // if content type is a serialized java object then de-serialize it 
back to a Java object but only if its allowed
+        // an exception can also be transffered as java object
         if (contentType != null && 
contentType.equals(AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
-            body = AhcHelper.deserializeJavaObjectFromStream(is);
+            if (endpoint.getComponent().isAllowJavaSerializedObject() || 
endpoint.isTransferException()) {
+                body = AhcHelper.deserializeJavaObjectFromStream(is);
+            }
         }
 
         if (!endpoint.isThrowExceptionOnFailure()) {

http://git-wip-us.apache.org/repos/asf/camel/blob/349109b0/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
----------------------------------------------------------------------
diff --git 
a/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
 
b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
index 87a2d22..8b3f395 100644
--- 
a/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
+++ 
b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
@@ -19,6 +19,7 @@ package org.apache.camel.component.ahc.javabody;
 import org.apache.camel.Exchange;
 import org.apache.camel.Processor;
 import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.component.ahc.AhcComponent;
 import org.apache.camel.component.ahc.AhcConstants;
 import org.apache.camel.component.ahc.BaseAhcTest;
 import org.junit.Test;
@@ -35,6 +36,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
 
     @Test
     public void testHttpSendJavaBodyAndReceiveString() throws Exception {
+        AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+        ahc.setAllowJavaSerializedObject(true);
+
         context.addRoutes(new RouteBuilder() {
             @Override
             public void configure() throws Exception {
@@ -66,6 +70,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
 
     @Test
     public void testHttpSendJavaBodyAndReceiveJavaBody() throws Exception {
+        AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+        ahc.setAllowJavaSerializedObject(true);
+
         context.addRoutes(new RouteBuilder() {
             @Override
             public void configure() throws Exception {
@@ -98,6 +105,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
 
     @Test
     public void testHttpSendStringAndReceiveJavaBody() throws Exception {
+        AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+        ahc.setAllowJavaSerializedObject(true);
+
         context.addRoutes(new RouteBuilder() {
             @Override
             public void configure() throws Exception {
@@ -123,4 +133,64 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
         assertEquals("Camel rocks", reply.getName());
     }
 
+    @Test
+    public void testNotAllowedReceive() throws Exception {
+        AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+        ahc.setAllowJavaSerializedObject(false);
+
+        context.addRoutes(new RouteBuilder() {
+            @Override
+            public void configure() throws Exception {
+                from(getTestServerEndpointUri())
+                        .process(new Processor() {
+                            public void process(Exchange exchange) throws 
Exception {
+                                String body = 
exchange.getIn().getBody(String.class);
+                                assertNotNull(body);
+                                assertEquals("Hello World", body);
+
+                                MyCoolBean reply = new MyCoolBean(456, "Camel 
rocks");
+                                exchange.getOut().setBody(reply);
+                                
exchange.getOut().setHeader(Exchange.CONTENT_TYPE, 
AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
+                            }
+                        });
+            }
+        });
+        context.start();
+
+        MyCoolBean reply = template.requestBody(getAhcEndpointUri(), "Hello 
World", MyCoolBean.class);
+        assertNull(reply);
+    }
+
+    @Test
+    public void testNotAllowed() throws Exception {
+        context.addRoutes(new RouteBuilder() {
+            @Override
+            public void configure() throws Exception {
+                from(getTestServerEndpointUri())
+                        .process(new Processor() {
+                            public void process(Exchange exchange) throws 
Exception {
+                                String body = 
exchange.getIn().getBody(String.class);
+                                assertNotNull(body);
+                                assertEquals("Hello World", body);
+
+                                MyCoolBean reply = new MyCoolBean(456, "Camel 
rocks");
+                                exchange.getOut().setBody(reply);
+                                
exchange.getOut().setHeader(Exchange.CONTENT_TYPE, 
AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
+                            }
+                        });
+            }
+        });
+        context.start();
+
+        MyCoolBean cool = new MyCoolBean(123, "Camel");
+
+        try {
+            template.requestBodyAndHeader(getAhcEndpointUri(), cool,
+                    Exchange.CONTENT_TYPE, 
AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT, MyCoolBean.class);
+            fail("Should fail");
+        } catch (Exception e) {
+            assertTrue(e.getCause().getMessage().startsWith("Content-type 
application/x-java-serialized-object is not allowed"));
+        }
+    }
+
 }

Reply via email to