CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/92081b20 Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/92081b20 Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/92081b20 Branch: refs/heads/camel-2.16.x Commit: 92081b203523c5ed502ed41df43cbd8655caf9b9 Parents: c558f30 Author: Claus Ibsen <[email protected]> Authored: Thu Nov 12 15:06:32 2015 +0100 Committer: Claus Ibsen <[email protected]> Committed: Thu Nov 12 15:06:43 2015 +0100 ---------------------------------------------------------------------- .../apache/camel/component/http4/HttpComponent.java | 12 ++++++++++++ .../org/apache/camel/component/http4/HttpProducer.java | 13 +++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/92081b20/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java ---------------------------------------------------------------------- diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java index a2be672..df47d50 100644 --- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java +++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java @@ -381,6 +381,18 @@ public class HttpComponent extends HttpCommonComponent { super.setHttpConfiguration(httpConfiguration); } + /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + * <p/> + * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + @Override + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + // need to override and call super for component docs + super.setAllowJavaSerializedObject(allowJavaSerializedObject); + } + public HttpContext getHttpContext() { return httpContext; } http://git-wip-us.apache.org/repos/asf/camel/blob/92081b20/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java ---------------------------------------------------------------------- diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java index 9a22fbf..09f347d 100644 --- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java +++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java @@ -304,7 +304,7 @@ public class HttpProducer extends DefaultProducer { * @return the response either as a stream, or as a deserialized java object * @throws IOException can be thrown */ - protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { + protected Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { HttpEntity entity = httpResponse.getEntity(); if (entity == null) { return null; @@ -331,7 +331,13 @@ public class HttpProducer extends DefaultProducer { } // if content type is a serialized java object then de-serialize it back to a Java object if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) { - return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + // only deserialize java if allowed + if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) { + return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + } else { + // empty response + return null; + } } else { InputStream response = null; if (!ignoreResponseBody) { @@ -444,6 +450,9 @@ public class HttpProducer extends DefaultProducer { } if (contentTypeString != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString)) { + if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) { + throw new CamelExchangeException("Content-type " + org.apache.camel.http.common.HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange); + } // serialized java object Serializable obj = in.getMandatoryBody(Serializable.class); // write object to output stream
