CAMEL-9309: Make it easier to turn on|off java transport over http
Conflicts:
components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/190d7c81
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/190d7c81
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/190d7c81
Branch: refs/heads/camel-2.15.x
Commit: 190d7c81b7e3ce767514e319630b1bbaf27e6817
Parents: e7fd5f0
Author: Claus Ibsen <[email protected]>
Authored: Thu Nov 12 11:28:17 2015 +0100
Committer: Claus Ibsen <[email protected]>
Committed: Thu Nov 12 18:44:37 2015 +0100
----------------------------------------------------------------------
.../camel/component/http/DefaultHttpBinding.java | 8 ++++++--
.../apache/camel/component/http/HttpComponent.java | 12 ++++++++++++
.../org/apache/camel/component/http/HttpProducer.java | 14 ++++++++++++--
3 files changed, 30 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/190d7c81/components/camel-http/src/main/java/org/apache/camel/component/http/DefaultHttpBinding.java
----------------------------------------------------------------------
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/DefaultHttpBinding.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/DefaultHttpBinding.java
index d0ea5f1..84c79ef 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/DefaultHttpBinding.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/DefaultHttpBinding.java
@@ -75,7 +75,9 @@ public class DefaultHttpBinding implements HttpBinding {
public DefaultHttpBinding(HttpEndpoint endpoint) {
this.endpoint = endpoint;
this.headerFilterStrategy = endpoint.getHeaderFilterStrategy();
- this.allowJavaSerializedObject =
endpoint.getComponent().isAllowJavaSerializedObject();
+ if (endpoint.getComponent() != null) {
+ this.allowJavaSerializedObject =
endpoint.getComponent().isAllowJavaSerializedObject();
+ }
}
public void readRequest(HttpServletRequest request, HttpMessage message) {
@@ -139,6 +141,7 @@ public class DefaultHttpBinding implements HttpBinding {
// if content type is serialized java object, then de-serialize it to
a Java object
if (request.getContentType() != null &&
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType()))
{
+ // only deserialize java if allowed
if (allowJavaSerializedObject || endpoint.isTransferException()) {
try {
InputStream is =
endpoint.getCamelContext().getTypeConverter().mandatoryConvertTo(InputStream.class,
body);
@@ -150,7 +153,8 @@ public class DefaultHttpBinding implements HttpBinding {
throw new RuntimeCamelException("Cannot deserialize body
to Java object", e);
}
} else {
- throw new RuntimeCamelException("Content-type " +
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
+ // set empty body
+ message.setBody(null);
}
}
http://git-wip-us.apache.org/repos/asf/camel/blob/190d7c81/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
----------------------------------------------------------------------
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
index 1ef9c9d..a2ccd51 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
@@ -356,4 +356,16 @@ public class HttpComponent extends
HeaderFilterStrategyComponent {
public void setAllowJavaSerializedObject(boolean
allowJavaSerializedObject) {
this.allowJavaSerializedObject = allowJavaSerializedObject;
}
+
+ /**
+ * Whether to allow java serialization when a request uses
context-type=application/x-java-serialized-object
+ * <p/>
+ * This is by default turned off. If you enable this then be aware that
Java will deserialize the incoming
+ * data from the request to Java and that can be a potential security risk.
+ */
+ @Override
+ public void setAllowJavaSerializedObject(boolean
allowJavaSerializedObject) {
+ // need to override and call super for component docs
+ super.setAllowJavaSerializedObject(allowJavaSerializedObject);
+ }
}
http://git-wip-us.apache.org/repos/asf/camel/blob/190d7c81/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
----------------------------------------------------------------------
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
index f2bdc2d..4ef437d 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
@@ -32,6 +32,7 @@ import java.util.Map;
import org.apache.camel.CamelExchangeException;
import org.apache.camel.Exchange;
import org.apache.camel.Message;
+import org.apache.camel.RuntimeCamelException;
import org.apache.camel.component.file.GenericFile;
import org.apache.camel.component.http.helper.HttpHelper;
import org.apache.camel.converter.stream.CachedOutputStream;
@@ -272,7 +273,7 @@ public class HttpProducer extends DefaultProducer {
* @return the response either as a stream, or as a deserialized java
object
* @throws IOException can be thrown
*/
- protected static Object extractResponseBody(HttpMethod method, Exchange
exchange) throws IOException, ClassNotFoundException {
+ protected Object extractResponseBody(HttpMethod method, Exchange exchange)
throws IOException, ClassNotFoundException {
InputStream is = method.getResponseBodyAsStream();
if (is == null) {
return null;
@@ -296,7 +297,13 @@ public class HttpProducer extends DefaultProducer {
InputStream response = doExtractResponseBodyAsStream(is, exchange);
// if content type is a serialized java object then de-serialize it
back to a Java object
if (contentType != null &&
contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
- return HttpHelper.deserializeJavaObjectFromStream(response);
+ // only deserialize java if allowed
+ if (getEndpoint().getComponent().isAllowJavaSerializedObject() ||
getEndpoint().isTransferException()) {
+ return HttpHelper.deserializeJavaObjectFromStream(response);
+ } else {
+ // empty response
+ return null;
+ }
} else {
return response;
}
@@ -405,6 +412,9 @@ public class HttpProducer extends DefaultProducer {
String contentType =
ExchangeHelper.getContentType(exchange);
if (contentType != null &&
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
+ if
(!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+ throw new CamelExchangeException("Content-type " +
HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed",
exchange);
+ }
// serialized java object
Serializable obj =
in.getMandatoryBody(Serializable.class);
// write object to output stream
