This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch fix/CAMEL-23769 in repository https://gitbox.apache.org/repos/asf/camel.git
commit e199f07d4bd98ce0d7a44a7992512f795ebcd6b6 Author: Andrea Cosentino <[email protected]> AuthorDate: Tue Jun 23 11:47:21 2026 +0200 CAMEL-23769: camel-http-common - apply a configurable ObjectInputFilter when deserializing Java objects HttpHelper.deserializeJavaObjectFromStream read a Java-serialized object via CamelObjectInputStream without an ObjectInputFilter. This is only reachable behind the opt-in allowJavaSerializedObject / transferException options, but the sibling camel-netty-http, camel-jms and camel-vertx-http bindings already apply a filter on that path. This aligns camel-http-common with them: a new overload applies an ObjectInputFilter (setObjectInputFilter) before readObject, and the existing methods delegate to it so all call sites (DefaultHttpBinding request side and the camel-http HttpProducer response side) are covered. A new deserializationFilter component option (jdk.serialFilter syntax) on HttpCommonComponent lets it be customised; when unset, the JVM-wide jdk.serialFilter is used if present, otherwise a conservative default filter (denying java.net.**, allowing java.**/javax.**/org.apache.camel.**, with JEP-290 graph-shape limits) is applied. The option is plumbed through the HttpBinding SPI (as default methods for backward compatibility) and wired in HttpCommonEndpoint, JettyHttpEndpoint12 and ServletEndpoint. Adds HttpHelperDeserializationTest and a 4.21 upgrade-guide note. Regenerates the component metadata for http, jetty, servlet and atmosphere-websocket. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .../catalog/components/atmosphere-websocket.json | 3 +- .../org/apache/camel/catalog/components/http.json | 17 +++--- .../org/apache/camel/catalog/components/https.json | 17 +++--- .../org/apache/camel/catalog/components/jetty.json | 19 +++--- .../apache/camel/catalog/components/servlet.json | 3 +- .../atmosphere/websocket/atmosphere-websocket.json | 3 +- .../camel/http/common/DefaultHttpBinding.java | 15 ++++- .../org/apache/camel/http/common/HttpBinding.java | 20 +++++++ .../camel/http/common/HttpCommonComponent.java | 23 ++++++++ .../camel/http/common/HttpCommonEndpoint.java | 1 + .../org/apache/camel/http/common/HttpHelper.java | 47 +++++++++++++++ .../http/common/HttpHelperDeserializationTest.java | 67 ++++++++++++++++++++++ .../component/http/HttpComponentConfigurer.java | 6 ++ .../org/apache/camel/component/http/http.json | 17 +++--- .../org/apache/camel/component/http/https.json | 17 +++--- .../apache/camel/component/http/HttpProducer.java | 3 +- .../jetty12/JettyHttpComponent12Configurer.java | 6 ++ .../org/apache/camel/component/jetty12/jetty.json | 19 +++--- .../component/jetty12/JettyHttpEndpoint12.java | 1 + .../servlet/ServletComponentConfigurer.java | 6 ++ .../apache/camel/component/servlet/servlet.json | 3 +- .../camel/component/servlet/ServletEndpoint.java | 1 + .../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 12 ++++ ...AtmosphereWebsocketComponentBuilderFactory.java | 22 +++++++ .../component/dsl/HttpComponentBuilderFactory.java | 22 +++++++ .../dsl/HttpsComponentBuilderFactory.java | 22 +++++++ .../dsl/JettyComponentBuilderFactory.java | 22 +++++++ .../dsl/ServletComponentBuilderFactory.java | 22 +++++++ 28 files changed, 380 insertions(+), 56 deletions(-) diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/atmosphere-websocket.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/atmosphere-websocket.json index 519bb0231ba2..3f517b9e937a 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/atmosphere-websocket.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/atmosphere-websocket.json @@ -36,7 +36,8 @@ "autowiredEnabled": { "index": 8, "kind": "property", "displayName": "Autowired Enabled", "group": "advanced", "label": "advanced", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": true, "description": "Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching t [...] "httpBinding": { "index": 9, "kind": "property", "displayName": "Http Binding", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpBinding", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom HttpBinding to control the mapping between Camel message and HttpClient." }, "httpConfiguration": { "index": 10, "kind": "property", "displayName": "Http Configuration", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpConfiguration", "deprecated": false, "autowired": false, "secret": false, "description": "To use the shared HttpConfiguration as base configuration." }, - "headerFilterStrategy": { "index": 11, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." } + "headerFilterStrategy": { "index": 11, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, + "deserializationFilter": { "index": 12, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] }, "headers": { "websocket.connectionKey": { "index": 0, "kind": "header", "displayName": "", "group": "common", "label": "", "required": false, "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The connection key.", "constantName": "org.apache.camel.component.atmosphere.websocket.WebsocketConstants#CONNECTION_KEY" }, diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/http.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/http.json index 017fdf1f81ff..bdc7b56cb5c9 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/http.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/http.json @@ -69,14 +69,15 @@ "proxyAuthUsername": { "index": 39, "kind": "property", "displayName": "Proxy Auth Username", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": true, "security": "secret", "description": "Proxy server username" }, "proxyHost": { "index": 40, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server host" }, "proxyPort": { "index": 41, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "producer,proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server port" }, - "hostnameVerificationPolicy": { "index": 42, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] - "sslContextParameters": { "index": 43, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] - "useGlobalSslContextParameters": { "index": 44, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, - "x509HostnameVerifier": { "index": 45, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, - "connectionRequestTimeout": { "index": 46, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, - "connectTimeout": { "index": 47, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, - "responseTimeout": { "index": 48, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] - "soTimeout": { "index": 49, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } + "deserializationFilter": { "index": 42, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "hostnameVerificationPolicy": { "index": 43, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] + "sslContextParameters": { "index": 44, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] + "useGlobalSslContextParameters": { "index": 45, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, + "x509HostnameVerifier": { "index": 46, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, + "connectionRequestTimeout": { "index": 47, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, + "connectTimeout": { "index": 48, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, + "responseTimeout": { "index": 49, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] + "soTimeout": { "index": 50, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } }, "headers": { "Content-Encoding": { "index": 0, "kind": "header", "displayName": "", "group": "producer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The HTTP content encoding. Is set on both the IN and OUT message to provide a content encoding, such as gzip.", "constantName": "org.apache.camel.component.http.HttpConstants#CONTENT_ENCODING" }, diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/https.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/https.json index 26d0e1ee3ece..8d45f21dd412 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/https.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/https.json @@ -69,14 +69,15 @@ "proxyAuthUsername": { "index": 39, "kind": "property", "displayName": "Proxy Auth Username", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": true, "security": "secret", "description": "Proxy server username" }, "proxyHost": { "index": 40, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server host" }, "proxyPort": { "index": 41, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "producer,proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server port" }, - "hostnameVerificationPolicy": { "index": 42, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] - "sslContextParameters": { "index": 43, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] - "useGlobalSslContextParameters": { "index": 44, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, - "x509HostnameVerifier": { "index": 45, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, - "connectionRequestTimeout": { "index": 46, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, - "connectTimeout": { "index": 47, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, - "responseTimeout": { "index": 48, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] - "soTimeout": { "index": 49, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } + "deserializationFilter": { "index": 42, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "hostnameVerificationPolicy": { "index": 43, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] + "sslContextParameters": { "index": 44, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] + "useGlobalSslContextParameters": { "index": 45, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, + "x509HostnameVerifier": { "index": 46, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, + "connectionRequestTimeout": { "index": 47, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, + "connectTimeout": { "index": 48, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, + "responseTimeout": { "index": 49, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] + "soTimeout": { "index": 50, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } }, "headers": { "Content-Encoding": { "index": 0, "kind": "header", "displayName": "", "group": "producer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The HTTP content encoding. Is set on both the IN and OUT message to provide a content encoding, such as gzip.", "constantName": "org.apache.camel.component.http.HttpConstants#CONTENT_ENCODING" }, diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/jetty.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/jetty.json index 80b549c359cb..eae916bd357a 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/jetty.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/jetty.json @@ -54,15 +54,16 @@ "headerFilterStrategy": { "index": 26, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, "proxyHost": { "index": 27, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To use a http proxy to configure the hostname." }, "proxyPort": { "index": 28, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To use a http proxy to configure the port number." }, - "keystore": { "index": 29, "kind": "property", "displayName": "Keystore", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "Specifies the location of the Java keystore file, which contains the Jetty server's own X.509 certificate in a key entry." }, - "socketConnectorProperties": { "index": 30, "kind": "property", "displayName": "Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general HTTP connector properties. Uses the same principle as sslSocketConnectorProperties." }, - "socketConnectors": { "index": 31, "kind": "property", "displayName": "Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific HTTP connectors. Uses the same principle as sslSocketConnectors." }, - "sslContextParameters": { "index": 32, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters" }, - "sslKeyPassword": { "index": 33, "kind": "property", "displayName": "Ssl Key Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The key password, which is used to access the certificate's key entry in the keystore (this is the same password that is supplied to the keystore command's -keypass option)." }, - "sslPassword": { "index": 34, "kind": "property", "displayName": "Ssl Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The ssl password, which is required to access the keystore file (this is the same password that is supplied to the keystore command's -storepass option)." }, - "sslSocketConnectorProperties": { "index": 35, "kind": "property", "displayName": "Ssl Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general SSL connector properties." }, - "sslSocketConnectors": { "index": 36, "kind": "property", "displayName": "Ssl Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific SSL connectors." }, - "useGlobalSslContextParameters": { "index": 37, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters" } + "deserializationFilter": { "index": 29, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "keystore": { "index": 30, "kind": "property", "displayName": "Keystore", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "Specifies the location of the Java keystore file, which contains the Jetty server's own X.509 certificate in a key entry." }, + "socketConnectorProperties": { "index": 31, "kind": "property", "displayName": "Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general HTTP connector properties. Uses the same principle as sslSocketConnectorProperties." }, + "socketConnectors": { "index": 32, "kind": "property", "displayName": "Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific HTTP connectors. Uses the same principle as sslSocketConnectors." }, + "sslContextParameters": { "index": 33, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters" }, + "sslKeyPassword": { "index": 34, "kind": "property", "displayName": "Ssl Key Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The key password, which is used to access the certificate's key entry in the keystore (this is the same password that is supplied to the keystore command's -keypass option)." }, + "sslPassword": { "index": 35, "kind": "property", "displayName": "Ssl Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The ssl password, which is required to access the keystore file (this is the same password that is supplied to the keystore command's -storepass option)." }, + "sslSocketConnectorProperties": { "index": 36, "kind": "property", "displayName": "Ssl Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general SSL connector properties." }, + "sslSocketConnectors": { "index": 37, "kind": "property", "displayName": "Ssl Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific SSL connectors." }, + "useGlobalSslContextParameters": { "index": 38, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters" } }, "headers": { "CamelServletContextPath": { "index": 0, "kind": "header", "displayName": "", "group": "consumer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The servlet context path used", "constantName": "org.apache.camel.component.jetty.JettyHttpConstants#SERVLET_CONTEXT_PATH" }, diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/servlet.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/servlet.json index 77a1b781ed15..8dd7b138314c 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/servlet.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/servlet.json @@ -35,7 +35,8 @@ "autowiredEnabled": { "index": 7, "kind": "property", "displayName": "Autowired Enabled", "group": "advanced", "label": "advanced", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": true, "description": "Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching t [...] "httpBinding": { "index": 8, "kind": "property", "displayName": "Http Binding", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpBinding", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom HttpBinding to control the mapping between Camel message and HttpClient." }, "httpConfiguration": { "index": 9, "kind": "property", "displayName": "Http Configuration", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpConfiguration", "deprecated": false, "autowired": false, "secret": false, "description": "To use the shared HttpConfiguration as base configuration." }, - "headerFilterStrategy": { "index": 10, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." } + "headerFilterStrategy": { "index": 10, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, + "deserializationFilter": { "index": 11, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] }, "properties": { "contextPath": { "index": 0, "kind": "path", "displayName": "Context Path", "group": "consumer", "label": "consumer", "required": true, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The context-path to use" }, diff --git a/components/camel-atmosphere-websocket/src/generated/resources/META-INF/org/apache/camel/component/atmosphere/websocket/atmosphere-websocket.json b/components/camel-atmosphere-websocket/src/generated/resources/META-INF/org/apache/camel/component/atmosphere/websocket/atmosphere-websocket.json index 519bb0231ba2..3f517b9e937a 100644 --- a/components/camel-atmosphere-websocket/src/generated/resources/META-INF/org/apache/camel/component/atmosphere/websocket/atmosphere-websocket.json +++ b/components/camel-atmosphere-websocket/src/generated/resources/META-INF/org/apache/camel/component/atmosphere/websocket/atmosphere-websocket.json @@ -36,7 +36,8 @@ "autowiredEnabled": { "index": 8, "kind": "property", "displayName": "Autowired Enabled", "group": "advanced", "label": "advanced", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": true, "description": "Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching t [...] "httpBinding": { "index": 9, "kind": "property", "displayName": "Http Binding", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpBinding", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom HttpBinding to control the mapping between Camel message and HttpClient." }, "httpConfiguration": { "index": 10, "kind": "property", "displayName": "Http Configuration", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpConfiguration", "deprecated": false, "autowired": false, "secret": false, "description": "To use the shared HttpConfiguration as base configuration." }, - "headerFilterStrategy": { "index": 11, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." } + "headerFilterStrategy": { "index": 11, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, + "deserializationFilter": { "index": 12, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] }, "headers": { "websocket.connectionKey": { "index": 0, "kind": "header", "displayName": "", "group": "common", "label": "", "required": false, "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The connection key.", "constantName": "org.apache.camel.component.atmosphere.websocket.WebsocketConstants#CONNECTION_KEY" }, diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java index 8210112d1c7e..f334e6e0c8e9 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java @@ -89,6 +89,7 @@ public class DefaultHttpBinding implements HttpBinding { private boolean muteException; private boolean logException; private boolean allowJavaSerializedObject; + private String deserializationFilter; private boolean mapHttpMessageBody = true; private boolean mapHttpMessageHeaders = true; private boolean mapHttpMessageFormUrlEncodedBody = true; @@ -111,6 +112,7 @@ public class DefaultHttpBinding implements HttpBinding { this.logException = endpoint.isLogException(); if (endpoint.getComponent() != null) { this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject(); + this.deserializationFilter = endpoint.getComponent().getDeserializationFilter(); } } @@ -220,7 +222,8 @@ public class DefaultHttpBinding implements HttpBinding { try { InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body); - Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext()); + Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext(), + deserializationFilter); if (object != null) { message.setBody(object); } @@ -706,6 +709,16 @@ public class DefaultHttpBinding implements HttpBinding { this.allowJavaSerializedObject = allowJavaSerializedObject; } + @Override + public String getDeserializationFilter() { + return deserializationFilter; + } + + @Override + public void setDeserializationFilter(String deserializationFilter) { + this.deserializationFilter = deserializationFilter; + } + @Override public HeaderFilterStrategy getHeaderFilterStrategy() { return headerFilterStrategy; diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java index 95f4a1845c26..39b0447d37dd 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java @@ -208,6 +208,26 @@ public interface HttpBinding { */ void setAllowJavaSerializedObject(boolean allowJavaSerializedObject); + /** + * The {@link java.io.ObjectInputFilter} pattern ({@code jdk.serialFilter} syntax) applied when deserializing Java + * objects from {@code application/x-java-serialized-object} payloads, or {@code null} to fall back to the JVM-wide + * filter or the default Camel filter. + */ + default String getDeserializationFilter() { + return null; + } + + /** + * Sets an {@link java.io.ObjectInputFilter} pattern ({@code jdk.serialFilter} syntax) applied as a defense-in-depth + * measure when deserializing Java objects from {@code application/x-java-serialized-object} payloads on the opt-in + * {@code allowJavaSerializedObject} / {@code transferException} path. + * + * @param deserializationFilter the filter pattern, or {@code null} to use the JVM-wide or default filter + */ + default void setDeserializationFilter(String deserializationFilter) { + // no-op by default for backward compatibility with external HttpBinding implementations + } + /** * Gets the header filter strategy * diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java index f1a4f1eb0945..d3d50c819cb2 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java @@ -37,6 +37,14 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent + " This is by default turned off. " + " If you enable this then be aware that Java will deserialize the incoming data from the request to Java and that can be a potential security risk.") protected boolean allowJavaSerializedObject; + @Metadata(label = "advanced,security", + description = "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing" + + " Java objects from requests or responses with Content-Type" + + " application/x-java-serialized-object (only used when allowJavaSerializedObject or" + + " transferException is enabled). When not set, the JVM-wide jdk.serialFilter is used if" + + " present; otherwise a conservative default filter denying java.net.* and otherwise" + + " allowing java.*, javax.* and org.apache.camel.* packages is applied.") + protected String deserializationFilter; protected HttpCommonComponent() { } @@ -155,4 +163,19 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent this.allowJavaSerializedObject = allowJavaSerializedObject; } + public String getDeserializationFilter() { + return deserializationFilter; + } + + /** + * Sets an {@link java.io.ObjectInputFilter} pattern (same syntax as {@code jdk.serialFilter}) applied when + * deserializing Java objects from requests or responses with Content-Type + * {@code application/x-java-serialized-object}, as a defense-in-depth measure on the opt-in + * {@code allowJavaSerializedObject} / {@code transferException} path. When not set, the JVM-wide + * {@code jdk.serialFilter} is used if present, otherwise a conservative default filter is applied. + */ + public void setDeserializationFilter(String deserializationFilter) { + this.deserializationFilter = deserializationFilter; + } + } diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java index 84856171b86b..84dc6fd9f138 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java @@ -278,6 +278,7 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint httpBinding.setMuteException(isMuteException()); if (getComponent() != null) { httpBinding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + httpBinding.setDeserializationFilter(getComponent().getDeserializationFilter()); } httpBinding.setEagerCheckContentAvailable(isEagerCheckContentAvailable()); httpBinding.setMapHttpMessageBody(isMapHttpMessageBody()); diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java index ee5496f6e81a..7f7a3f613e39 100644 --- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java +++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java @@ -18,6 +18,7 @@ package org.apache.camel.http.common; import java.io.IOException; import java.io.InputStream; +import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.OutputStream; @@ -40,9 +41,23 @@ import org.apache.camel.util.CollectionHelper; import org.apache.camel.util.IOHelper; import org.apache.camel.util.URISupport; import org.apache.camel.util.UnsafeUriCharactersEncoder; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public final class HttpHelper { + /** + * Default {@link ObjectInputFilter} pattern applied when deserializing Java objects with Content-Type + * {@code application/x-java-serialized-object}. Allows standard Java and Apache Camel types, denies + * {@code java.net.**}, and applies JEP-290 graph-shape limits ({@code maxdepth}, {@code maxrefs}, {@code maxbytes}) + * as defense-in-depth. Can be overridden per-component via the {@code deserializationFilter} option or globally via + * the JVM system property {@code jdk.serialFilter}. + */ + static final String DEFAULT_DESERIALIZATION_FILTER + = "!java.net.**;java.**;javax.**;org.apache.camel.**;maxdepth=20;maxrefs=10000;maxbytes=10485760;!*"; + + private static final Logger LOG = LoggerFactory.getLogger(HttpHelper.class); + private HttpHelper() { // Helper class } @@ -112,12 +127,31 @@ public final class HttpHelper { */ public static Object deserializeJavaObjectFromStream(InputStream is, CamelContext context) throws ClassNotFoundException, IOException { + return deserializeJavaObjectFromStream(is, context, null); + } + + /** + * Deserializes the input stream to a Java object, applying an {@link ObjectInputFilter} as a defense-in-depth + * measure against unsafe deserialization. + * + * @param is input stream for the Java object + * @param context the camel context which could help us to apply the customer classloader + * @param deserializationFilter an {@link ObjectInputFilter} pattern (same syntax as {@code jdk.serialFilter}) to + * apply; when {@code null} or blank the JVM-wide {@code jdk.serialFilter} is used if + * present, otherwise {@link #DEFAULT_DESERIALIZATION_FILTER} is applied + * @return the java object, or <tt>null</tt> if input stream was <tt>null</tt> + * @throws ClassNotFoundException is thrown if class not found + * @throws IOException can be thrown + */ + public static Object deserializeJavaObjectFromStream(InputStream is, CamelContext context, String deserializationFilter) + throws ClassNotFoundException, IOException { if (is == null) { return null; } Object answer; ObjectInputStream ois = new CamelObjectInputStream(is, context); + ois.setObjectInputFilter(resolveDeserializationFilter(deserializationFilter)); try { answer = ois.readObject(); } finally { @@ -127,6 +161,19 @@ public final class HttpHelper { return answer; } + private static ObjectInputFilter resolveDeserializationFilter(String configuredPattern) { + if (configuredPattern != null && !configuredPattern.isBlank()) { + return ObjectInputFilter.Config.createFilter(configuredPattern); + } + ObjectInputFilter jvmFilter = ObjectInputFilter.Config.getSerialFilter(); + if (jvmFilter != null) { + return jvmFilter; + } + LOG.debug("No JVM-wide deserialization filter (jdk.serialFilter) is set; applying the default Camel filter: {}", + DEFAULT_DESERIALIZATION_FILTER); + return ObjectInputFilter.Config.createFilter(DEFAULT_DESERIALIZATION_FILTER); + } + /** * Reads the request body from the given http servlet request. * diff --git a/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperDeserializationTest.java b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperDeserializationTest.java new file mode 100644 index 000000000000..81514e373217 --- /dev/null +++ b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperDeserializationTest.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.http.common; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.io.InvalidClassException; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.net.InetSocketAddress; +import java.util.ArrayList; +import java.util.List; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +public class HttpHelperDeserializationTest { + + private static byte[] serialize(Serializable object) throws Exception { + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try (ObjectOutputStream oos = new ObjectOutputStream(bos)) { + oos.writeObject(object); + } + return bos.toByteArray(); + } + + @Test + public void configuredFilterRejectsDeniedClass() throws Exception { + // use a real object (not a String, which is serialized as TC_STRING and bypasses the class filter) + InputStream is = new ByteArrayInputStream(serialize(new ArrayList<>(List.of("a", "b")))); + // a configured filter that denies everything must reject the ArrayList class + assertThrows(InvalidClassException.class, + () -> HttpHelper.deserializeJavaObjectFromStream(is, null, "!*")); + } + + @Test + public void configuredFilterAllowsPermittedClass() throws Exception { + InputStream is = new ByteArrayInputStream(serialize(new ArrayList<>(List.of("a", "b")))); + // a configured filter that allows the java.* packages must let the ArrayList (and its elements) through + assertEquals(List.of("a", "b"), HttpHelper.deserializeJavaObjectFromStream(is, null, "java.**;!*")); + } + + @Test + public void defaultFilterDeniesJavaNetPackage() throws Exception { + InputStream is = new ByteArrayInputStream(serialize(new InetSocketAddress("localhost", 80))); + // with no configured/JVM filter, the default Camel filter denies java.net.** + assertThrows(InvalidClassException.class, + () -> HttpHelper.deserializeJavaObjectFromStream(is, null)); + } +} diff --git a/components/camel-http/src/generated/java/org/apache/camel/component/http/HttpComponentConfigurer.java b/components/camel-http/src/generated/java/org/apache/camel/component/http/HttpComponentConfigurer.java index d67699d04c76..0a7fe2dadcb6 100644 --- a/components/camel-http/src/generated/java/org/apache/camel/component/http/HttpComponentConfigurer.java +++ b/components/camel-http/src/generated/java/org/apache/camel/component/http/HttpComponentConfigurer.java @@ -55,6 +55,8 @@ public class HttpComponentConfigurer extends PropertyConfigurerSupport implement case "copyHeaders": target.setCopyHeaders(property(camelContext, boolean.class, value)); return true; case "defaultuseragentdisabled": case "defaultUserAgentDisabled": target.setDefaultUserAgentDisabled(property(camelContext, boolean.class, value)); return true; + case "deserializationfilter": + case "deserializationFilter": target.setDeserializationFilter(property(camelContext, java.lang.String.class, value)); return true; case "followredirects": case "followRedirects": target.setFollowRedirects(property(camelContext, boolean.class, value)); return true; case "headerfilterstrategy": @@ -167,6 +169,8 @@ public class HttpComponentConfigurer extends PropertyConfigurerSupport implement case "copyHeaders": return boolean.class; case "defaultuseragentdisabled": case "defaultUserAgentDisabled": return boolean.class; + case "deserializationfilter": + case "deserializationFilter": return java.lang.String.class; case "followredirects": case "followRedirects": return boolean.class; case "headerfilterstrategy": @@ -275,6 +279,8 @@ public class HttpComponentConfigurer extends PropertyConfigurerSupport implement case "copyHeaders": return target.isCopyHeaders(); case "defaultuseragentdisabled": case "defaultUserAgentDisabled": return target.isDefaultUserAgentDisabled(); + case "deserializationfilter": + case "deserializationFilter": return target.getDeserializationFilter(); case "followredirects": case "followRedirects": return target.isFollowRedirects(); case "headerfilterstrategy": diff --git a/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/http.json b/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/http.json index 017fdf1f81ff..bdc7b56cb5c9 100644 --- a/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/http.json +++ b/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/http.json @@ -69,14 +69,15 @@ "proxyAuthUsername": { "index": 39, "kind": "property", "displayName": "Proxy Auth Username", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": true, "security": "secret", "description": "Proxy server username" }, "proxyHost": { "index": 40, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server host" }, "proxyPort": { "index": 41, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "producer,proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server port" }, - "hostnameVerificationPolicy": { "index": 42, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] - "sslContextParameters": { "index": 43, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] - "useGlobalSslContextParameters": { "index": 44, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, - "x509HostnameVerifier": { "index": 45, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, - "connectionRequestTimeout": { "index": 46, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, - "connectTimeout": { "index": 47, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, - "responseTimeout": { "index": 48, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] - "soTimeout": { "index": 49, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } + "deserializationFilter": { "index": 42, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "hostnameVerificationPolicy": { "index": 43, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] + "sslContextParameters": { "index": 44, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] + "useGlobalSslContextParameters": { "index": 45, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, + "x509HostnameVerifier": { "index": 46, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, + "connectionRequestTimeout": { "index": 47, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, + "connectTimeout": { "index": 48, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, + "responseTimeout": { "index": 49, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] + "soTimeout": { "index": 50, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } }, "headers": { "Content-Encoding": { "index": 0, "kind": "header", "displayName": "", "group": "producer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The HTTP content encoding. Is set on both the IN and OUT message to provide a content encoding, such as gzip.", "constantName": "org.apache.camel.component.http.HttpConstants#CONTENT_ENCODING" }, diff --git a/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/https.json b/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/https.json index 26d0e1ee3ece..8d45f21dd412 100644 --- a/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/https.json +++ b/components/camel-http/src/generated/resources/META-INF/org/apache/camel/component/http/https.json @@ -69,14 +69,15 @@ "proxyAuthUsername": { "index": 39, "kind": "property", "displayName": "Proxy Auth Username", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": true, "security": "secret", "description": "Proxy server username" }, "proxyHost": { "index": 40, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "producer,proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server host" }, "proxyPort": { "index": 41, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "producer,proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "autowired": false, "secret": false, "description": "Proxy server port" }, - "hostnameVerificationPolicy": { "index": 42, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] - "sslContextParameters": { "index": 43, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] - "useGlobalSslContextParameters": { "index": 44, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, - "x509HostnameVerifier": { "index": 45, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, - "connectionRequestTimeout": { "index": 46, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, - "connectTimeout": { "index": 47, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, - "responseTimeout": { "index": 48, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] - "soTimeout": { "index": 49, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } + "deserializationFilter": { "index": 42, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "hostnameVerificationPolicy": { "index": 43, "kind": "property", "displayName": "Hostname Verification Policy", "group": "security", "label": "security", "required": false, "type": "enum", "javaType": "org.apache.hc.client5.http.ssl.HostnameVerificationPolicy", "enum": [ "CLIENT", "BUILTIN", "BOTH" ], "deprecated": false, "autowired": false, "secret": false, "defaultValue": "CLIENT", "description": "Controls how hostname verification is performed during the TLS handshake. CLIENT (def [...] + "sslContextParameters": { "index": 44, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters. Important: Only one instance of org.apache.camel.support.jsse.SSLContextParameters is supported per HttpComponent. If y [...] + "useGlobalSslContextParameters": { "index": 45, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters." }, + "x509HostnameVerifier": { "index": 46, "kind": "property", "displayName": "X509 Hostname Verifier", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "javax.net.ssl.HostnameVerifier", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom X509HostnameVerifier such as DefaultHostnameVerifier or NoopHostnameVerifier." }, + "connectionRequestTimeout": { "index": 47, "kind": "property", "displayName": "Connection Request Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Returns the connection lease request timeout (in millis) used when requesting a connection from the connection manager. A timeout value of zero is interpreted as a disabled timeout." }, + "connectTimeout": { "index": 48, "kind": "property", "displayName": "Connect Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the timeout (in millis) until a new connection is fully established. A timeout value of zero is interpreted as an infinite timeout." }, + "responseTimeout": { "index": 49, "kind": "property", "displayName": "Response Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "description": "Determines the timeout (in millis) until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports w [...] + "soTimeout": { "index": 50, "kind": "property", "displayName": "So Timeout", "group": "timeout", "label": "timeout", "required": false, "type": "integer", "javaType": "long", "deprecated": false, "autowired": false, "secret": false, "defaultValue": 180000, "description": "Determines the default socket timeout (in millis) value for blocking I\/O operations." } }, "headers": { "Content-Encoding": { "index": 0, "kind": "header", "displayName": "", "group": "producer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The HTTP content encoding. Is set on both the IN and OUT message to provide a content encoding, such as gzip.", "constantName": "org.apache.camel.component.http.HttpConstants#CONTENT_ENCODING" }, diff --git a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java index 45a2d2e7c819..08b4267a2554 100644 --- a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java +++ b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java @@ -572,7 +572,8 @@ public class HttpProducer extends DefaultProducer implements LineNumberAware { if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) { // only deserialize java if allowed if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) { - return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext(), + getEndpoint().getComponent().getDeserializationFilter()); } else { // empty response return null; diff --git a/components/camel-jetty/src/generated/java/org/apache/camel/component/jetty12/JettyHttpComponent12Configurer.java b/components/camel-jetty/src/generated/java/org/apache/camel/component/jetty12/JettyHttpComponent12Configurer.java index 13fc261e12e8..5ffaef30e1d6 100644 --- a/components/camel-jetty/src/generated/java/org/apache/camel/component/jetty12/JettyHttpComponent12Configurer.java +++ b/components/camel-jetty/src/generated/java/org/apache/camel/component/jetty12/JettyHttpComponent12Configurer.java @@ -31,6 +31,8 @@ public class JettyHttpComponent12Configurer extends PropertyConfigurerSupport im case "bridgeErrorHandler": target.setBridgeErrorHandler(property(camelContext, boolean.class, value)); return true; case "continuationtimeout": case "continuationTimeout": target.setContinuationTimeout(property(camelContext, java.lang.Long.class, value)); return true; + case "deserializationfilter": + case "deserializationFilter": target.setDeserializationFilter(property(camelContext, java.lang.String.class, value)); return true; case "enablejmx": case "enableJmx": target.setEnableJmx(property(camelContext, boolean.class, value)); return true; case "errorhandler": @@ -113,6 +115,8 @@ public class JettyHttpComponent12Configurer extends PropertyConfigurerSupport im case "bridgeErrorHandler": return boolean.class; case "continuationtimeout": case "continuationTimeout": return java.lang.Long.class; + case "deserializationfilter": + case "deserializationFilter": return java.lang.String.class; case "enablejmx": case "enableJmx": return boolean.class; case "errorhandler": @@ -196,6 +200,8 @@ public class JettyHttpComponent12Configurer extends PropertyConfigurerSupport im case "bridgeErrorHandler": return target.isBridgeErrorHandler(); case "continuationtimeout": case "continuationTimeout": return target.getContinuationTimeout(); + case "deserializationfilter": + case "deserializationFilter": return target.getDeserializationFilter(); case "enablejmx": case "enableJmx": return target.isEnableJmx(); case "errorhandler": diff --git a/components/camel-jetty/src/generated/resources/META-INF/org/apache/camel/component/jetty12/jetty.json b/components/camel-jetty/src/generated/resources/META-INF/org/apache/camel/component/jetty12/jetty.json index 80b549c359cb..eae916bd357a 100644 --- a/components/camel-jetty/src/generated/resources/META-INF/org/apache/camel/component/jetty12/jetty.json +++ b/components/camel-jetty/src/generated/resources/META-INF/org/apache/camel/component/jetty12/jetty.json @@ -54,15 +54,16 @@ "headerFilterStrategy": { "index": 26, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, "proxyHost": { "index": 27, "kind": "property", "displayName": "Proxy Host", "group": "proxy", "label": "proxy", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To use a http proxy to configure the hostname." }, "proxyPort": { "index": 28, "kind": "property", "displayName": "Proxy Port", "group": "proxy", "label": "proxy", "required": false, "type": "integer", "javaType": "java.lang.Integer", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To use a http proxy to configure the port number." }, - "keystore": { "index": 29, "kind": "property", "displayName": "Keystore", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "Specifies the location of the Java keystore file, which contains the Jetty server's own X.509 certificate in a key entry." }, - "socketConnectorProperties": { "index": 30, "kind": "property", "displayName": "Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general HTTP connector properties. Uses the same principle as sslSocketConnectorProperties." }, - "socketConnectors": { "index": 31, "kind": "property", "displayName": "Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific HTTP connectors. Uses the same principle as sslSocketConnectors." }, - "sslContextParameters": { "index": 32, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters" }, - "sslKeyPassword": { "index": 33, "kind": "property", "displayName": "Ssl Key Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The key password, which is used to access the certificate's key entry in the keystore (this is the same password that is supplied to the keystore command's -keypass option)." }, - "sslPassword": { "index": 34, "kind": "property", "displayName": "Ssl Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The ssl password, which is required to access the keystore file (this is the same password that is supplied to the keystore command's -storepass option)." }, - "sslSocketConnectorProperties": { "index": 35, "kind": "property", "displayName": "Ssl Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general SSL connector properties." }, - "sslSocketConnectors": { "index": 36, "kind": "property", "displayName": "Ssl Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific SSL connectors." }, - "useGlobalSslContextParameters": { "index": 37, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters" } + "deserializationFilter": { "index": 29, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] + "keystore": { "index": 30, "kind": "property", "displayName": "Keystore", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "Specifies the location of the Java keystore file, which contains the Jetty server's own X.509 certificate in a key entry." }, + "socketConnectorProperties": { "index": 31, "kind": "property", "displayName": "Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general HTTP connector properties. Uses the same principle as sslSocketConnectorProperties." }, + "socketConnectors": { "index": 32, "kind": "property", "displayName": "Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific HTTP connectors. Uses the same principle as sslSocketConnectors." }, + "sslContextParameters": { "index": 33, "kind": "property", "displayName": "Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "org.apache.camel.support.jsse.SSLContextParameters", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "To configure security using SSLContextParameters" }, + "sslKeyPassword": { "index": 34, "kind": "property", "displayName": "Ssl Key Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The key password, which is used to access the certificate's key entry in the keystore (this is the same password that is supplied to the keystore command's -keypass option)." }, + "sslPassword": { "index": 35, "kind": "property", "displayName": "Ssl Password", "group": "security", "label": "security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": true, "security": "secret", "description": "The ssl password, which is required to access the keystore file (this is the same password that is supplied to the keystore command's -storepass option)." }, + "sslSocketConnectorProperties": { "index": 36, "kind": "property", "displayName": "Ssl Socket Connector Properties", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.String, java.lang.Object>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains general SSL connector properties." }, + "sslSocketConnectors": { "index": 37, "kind": "property", "displayName": "Ssl Socket Connectors", "group": "security", "label": "security", "required": false, "type": "object", "javaType": "java.util.Map<java.lang.Integer, org.eclipse.jetty.server.ServerConnector>", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "A map which contains per port number specific SSL connectors." }, + "useGlobalSslContextParameters": { "index": 38, "kind": "property", "displayName": "Use Global Ssl Context Parameters", "group": "security", "label": "security", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "defaultValue": false, "description": "Enable usage of global SSL context parameters" } }, "headers": { "CamelServletContextPath": { "index": 0, "kind": "header", "displayName": "", "group": "consumer", "label": "", "required": false, "javaType": "String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The servlet context path used", "constantName": "org.apache.camel.component.jetty.JettyHttpConstants#SERVLET_CONTEXT_PATH" }, diff --git a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/JettyHttpEndpoint12.java b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/JettyHttpEndpoint12.java index daaa94f1973e..d33c25fd60e5 100644 --- a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/JettyHttpEndpoint12.java +++ b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/JettyHttpEndpoint12.java @@ -57,6 +57,7 @@ public class JettyHttpEndpoint12 extends JettyHttpEndpoint implements AsyncEndpo this.binding.setLogException(isLogException()); if (getComponent() != null) { this.binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + this.binding.setDeserializationFilter(getComponent().getDeserializationFilter()); } this.binding.setHeaderFilterStrategy(getHeaderFilterStrategy()); this.binding.setEagerCheckContentAvailable(isEagerCheckContentAvailable()); diff --git a/components/camel-servlet/src/generated/java/org/apache/camel/component/servlet/ServletComponentConfigurer.java b/components/camel-servlet/src/generated/java/org/apache/camel/component/servlet/ServletComponentConfigurer.java index df380193ef4e..13de2ac27523 100644 --- a/components/camel-servlet/src/generated/java/org/apache/camel/component/servlet/ServletComponentConfigurer.java +++ b/components/camel-servlet/src/generated/java/org/apache/camel/component/servlet/ServletComponentConfigurer.java @@ -31,6 +31,8 @@ public class ServletComponentConfigurer extends PropertyConfigurerSupport implem case "autowiredEnabled": target.setAutowiredEnabled(property(camelContext, boolean.class, value)); return true; case "bridgeerrorhandler": case "bridgeErrorHandler": target.setBridgeErrorHandler(property(camelContext, boolean.class, value)); return true; + case "deserializationfilter": + case "deserializationFilter": target.setDeserializationFilter(property(camelContext, java.lang.String.class, value)); return true; case "filenameextwhitelist": case "fileNameExtWhitelist": target.setFileNameExtWhitelist(property(camelContext, java.lang.String.class, value)); return true; case "headerfilterstrategy": @@ -60,6 +62,8 @@ public class ServletComponentConfigurer extends PropertyConfigurerSupport implem case "autowiredEnabled": return boolean.class; case "bridgeerrorhandler": case "bridgeErrorHandler": return boolean.class; + case "deserializationfilter": + case "deserializationFilter": return java.lang.String.class; case "filenameextwhitelist": case "fileNameExtWhitelist": return java.lang.String.class; case "headerfilterstrategy": @@ -90,6 +94,8 @@ public class ServletComponentConfigurer extends PropertyConfigurerSupport implem case "autowiredEnabled": return target.isAutowiredEnabled(); case "bridgeerrorhandler": case "bridgeErrorHandler": return target.isBridgeErrorHandler(); + case "deserializationfilter": + case "deserializationFilter": return target.getDeserializationFilter(); case "filenameextwhitelist": case "fileNameExtWhitelist": return target.getFileNameExtWhitelist(); case "headerfilterstrategy": diff --git a/components/camel-servlet/src/generated/resources/META-INF/org/apache/camel/component/servlet/servlet.json b/components/camel-servlet/src/generated/resources/META-INF/org/apache/camel/component/servlet/servlet.json index 77a1b781ed15..8dd7b138314c 100644 --- a/components/camel-servlet/src/generated/resources/META-INF/org/apache/camel/component/servlet/servlet.json +++ b/components/camel-servlet/src/generated/resources/META-INF/org/apache/camel/component/servlet/servlet.json @@ -35,7 +35,8 @@ "autowiredEnabled": { "index": 7, "kind": "property", "displayName": "Autowired Enabled", "group": "advanced", "label": "advanced", "required": false, "type": "boolean", "javaType": "boolean", "deprecated": false, "autowired": false, "secret": false, "defaultValue": true, "description": "Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching t [...] "httpBinding": { "index": 8, "kind": "property", "displayName": "Http Binding", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpBinding", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom HttpBinding to control the mapping between Camel message and HttpClient." }, "httpConfiguration": { "index": 9, "kind": "property", "displayName": "Http Configuration", "group": "advanced", "label": "advanced", "required": false, "type": "object", "javaType": "org.apache.camel.http.common.HttpConfiguration", "deprecated": false, "autowired": false, "secret": false, "description": "To use the shared HttpConfiguration as base configuration." }, - "headerFilterStrategy": { "index": 10, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." } + "headerFilterStrategy": { "index": 10, "kind": "property", "displayName": "Header Filter Strategy", "group": "filter", "label": "filter", "required": false, "type": "object", "javaType": "org.apache.camel.spi.HeaderFilterStrategy", "deprecated": false, "autowired": false, "secret": false, "description": "To use a custom org.apache.camel.spi.HeaderFilterStrategy to filter header to and from Camel message." }, + "deserializationFilter": { "index": 11, "kind": "property", "displayName": "Deserialization Filter", "group": "security", "label": "advanced,security", "required": false, "type": "string", "javaType": "java.lang.String", "deprecated": false, "autowired": false, "secret": false, "description": "Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied when deserializing Java objects from requests or responses with Content-Type application\/x-java-serialized-object (only used [...] }, "properties": { "contextPath": { "index": 0, "kind": "path", "displayName": "Context Path", "group": "consumer", "label": "consumer", "required": true, "type": "string", "javaType": "java.lang.String", "deprecated": false, "deprecationNote": "", "autowired": false, "secret": false, "description": "The context-path to use" }, diff --git a/components/camel-servlet/src/main/java/org/apache/camel/component/servlet/ServletEndpoint.java b/components/camel-servlet/src/main/java/org/apache/camel/component/servlet/ServletEndpoint.java index 72e18360fd23..d0bf271931f5 100644 --- a/components/camel-servlet/src/main/java/org/apache/camel/component/servlet/ServletEndpoint.java +++ b/components/camel-servlet/src/main/java/org/apache/camel/component/servlet/ServletEndpoint.java @@ -92,6 +92,7 @@ public class ServletEndpoint extends HttpCommonEndpoint implements OAuthProfileA this.binding.setLogException(isLogException()); if (getComponent() != null) { this.binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject()); + this.binding.setDeserializationFilter(getComponent().getDeserializationFilter()); } this.binding.setHeaderFilterStrategy(getHeaderFilterStrategy()); this.binding.setEagerCheckContentAvailable(isEagerCheckContentAvailable()); diff --git a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc index eb57a78ee4b4..4211d69d57a5 100644 --- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc +++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc @@ -1046,6 +1046,18 @@ its signature because no `validateSigningCertificateChain` is configured. A new unverifiable signed messages with an `insufficient-message-security` error instead of delivering them unverified. The default behaviour is otherwise unchanged. +=== camel-http, camel-jetty, camel-servlet, camel-atmosphere-websocket + +The HTTP components (which share `camel-http-common`) now apply a Java deserialization filter +(`ObjectInputFilter`) when deserializing `application/x-java-serialized-object` payloads on the opt-in +`allowJavaSerializedObject` / `transferException` path, aligning them with `camel-netty-http`, `camel-jms` +and `camel-vertx-http`. A new `deserializationFilter` component option (same syntax as `jdk.serialFilter`) +can be set to customise it; when unset, the JVM-wide `jdk.serialFilter` is used if present, otherwise a +conservative default filter (denying `java.net.**`, allowing `java.**` / `javax.**` / +`org.apache.camel.**`, with JEP-290 graph-shape limits) is applied. This is a defense-in-depth measure on +an already opt-in path; a serialized payload that was accepted before may now be rejected if it references +a denied class. + === camel-oauth `OAuthTokenRequest.refreshTokenGrant(...)` now sends the RFC 6749 `refresh_token` form parameter for diff --git a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/AtmosphereWebsocketComponentBuilderFactory.java b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/AtmosphereWebsocketComponentBuilderFactory.java index 09a59bcc3ee5..72d8cb4629ea 100644 --- a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/AtmosphereWebsocketComponentBuilderFactory.java +++ b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/AtmosphereWebsocketComponentBuilderFactory.java @@ -288,6 +288,27 @@ public interface AtmosphereWebsocketComponentBuilderFactory { doSetProperty("headerFilterStrategy", headerFilterStrategy); return this; } + + /** + * Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied + * when deserializing Java objects from requests or responses with + * Content-Type application/x-java-serialized-object (only used when + * allowJavaSerializedObject or transferException is enabled). When not + * set, the JVM-wide jdk.serialFilter is used if present; otherwise a + * conservative default filter denying java.net. and otherwise allowing + * java., javax. and org.apache.camel. packages is applied. + * + * The option is a: <code>java.lang.String</code> type. + * + * Group: security + * + * @param deserializationFilter the value to set + * @return the dsl builder + */ + default AtmosphereWebsocketComponentBuilder deserializationFilter(java.lang.String deserializationFilter) { + doSetProperty("deserializationFilter", deserializationFilter); + return this; + } } class AtmosphereWebsocketComponentBuilderImpl @@ -315,6 +336,7 @@ public interface AtmosphereWebsocketComponentBuilderFactory { case "httpBinding": ((WebsocketComponent) component).setHttpBinding((org.apache.camel.http.common.HttpBinding) value); return true; case "httpConfiguration": ((WebsocketComponent) component).setHttpConfiguration((org.apache.camel.http.common.HttpConfiguration) value); return true; case "headerFilterStrategy": ((WebsocketComponent) component).setHeaderFilterStrategy((org.apache.camel.spi.HeaderFilterStrategy) value); return true; + case "deserializationFilter": ((WebsocketComponent) component).setDeserializationFilter((java.lang.String) value); return true; default: return false; } } diff --git a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpComponentBuilderFactory.java b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpComponentBuilderFactory.java index 326562318dce..4a698fa72dc8 100644 --- a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpComponentBuilderFactory.java +++ b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpComponentBuilderFactory.java @@ -785,6 +785,27 @@ public interface HttpComponentBuilderFactory { return this; } + /** + * Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied + * when deserializing Java objects from requests or responses with + * Content-Type application/x-java-serialized-object (only used when + * allowJavaSerializedObject or transferException is enabled). When not + * set, the JVM-wide jdk.serialFilter is used if present; otherwise a + * conservative default filter denying java.net. and otherwise allowing + * java., javax. and org.apache.camel. packages is applied. + * + * The option is a: <code>java.lang.String</code> type. + * + * Group: security + * + * @param deserializationFilter the value to set + * @return the dsl builder + */ + default HttpComponentBuilder deserializationFilter(java.lang.String deserializationFilter) { + doSetProperty("deserializationFilter", deserializationFilter); + return this; + } + /** * Controls how hostname verification is performed during the TLS @@ -995,6 +1016,7 @@ public interface HttpComponentBuilderFactory { case "proxyAuthUsername": ((HttpComponent) component).setProxyAuthUsername((java.lang.String) value); return true; case "proxyHost": ((HttpComponent) component).setProxyHost((java.lang.String) value); return true; case "proxyPort": ((HttpComponent) component).setProxyPort((java.lang.Integer) value); return true; + case "deserializationFilter": ((HttpComponent) component).setDeserializationFilter((java.lang.String) value); return true; case "hostnameVerificationPolicy": ((HttpComponent) component).setHostnameVerificationPolicy((org.apache.hc.client5.http.ssl.HostnameVerificationPolicy) value); return true; case "sslContextParameters": ((HttpComponent) component).setSslContextParameters((org.apache.camel.support.jsse.SSLContextParameters) value); return true; case "useGlobalSslContextParameters": ((HttpComponent) component).setUseGlobalSslContextParameters((boolean) value); return true; diff --git a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpsComponentBuilderFactory.java b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpsComponentBuilderFactory.java index 4fd82afc2b11..ab81bf36ef47 100644 --- a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpsComponentBuilderFactory.java +++ b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/HttpsComponentBuilderFactory.java @@ -785,6 +785,27 @@ public interface HttpsComponentBuilderFactory { return this; } + /** + * Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied + * when deserializing Java objects from requests or responses with + * Content-Type application/x-java-serialized-object (only used when + * allowJavaSerializedObject or transferException is enabled). When not + * set, the JVM-wide jdk.serialFilter is used if present; otherwise a + * conservative default filter denying java.net. and otherwise allowing + * java., javax. and org.apache.camel. packages is applied. + * + * The option is a: <code>java.lang.String</code> type. + * + * Group: security + * + * @param deserializationFilter the value to set + * @return the dsl builder + */ + default HttpsComponentBuilder deserializationFilter(java.lang.String deserializationFilter) { + doSetProperty("deserializationFilter", deserializationFilter); + return this; + } + /** * Controls how hostname verification is performed during the TLS @@ -995,6 +1016,7 @@ public interface HttpsComponentBuilderFactory { case "proxyAuthUsername": ((HttpComponent) component).setProxyAuthUsername((java.lang.String) value); return true; case "proxyHost": ((HttpComponent) component).setProxyHost((java.lang.String) value); return true; case "proxyPort": ((HttpComponent) component).setProxyPort((java.lang.Integer) value); return true; + case "deserializationFilter": ((HttpComponent) component).setDeserializationFilter((java.lang.String) value); return true; case "hostnameVerificationPolicy": ((HttpComponent) component).setHostnameVerificationPolicy((org.apache.hc.client5.http.ssl.HostnameVerificationPolicy) value); return true; case "sslContextParameters": ((HttpComponent) component).setSslContextParameters((org.apache.camel.support.jsse.SSLContextParameters) value); return true; case "useGlobalSslContextParameters": ((HttpComponent) component).setUseGlobalSslContextParameters((boolean) value); return true; diff --git a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/JettyComponentBuilderFactory.java b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/JettyComponentBuilderFactory.java index 17e519c41ff4..d7a7dda3eed1 100644 --- a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/JettyComponentBuilderFactory.java +++ b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/JettyComponentBuilderFactory.java @@ -564,6 +564,27 @@ public interface JettyComponentBuilderFactory { return this; } + /** + * Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied + * when deserializing Java objects from requests or responses with + * Content-Type application/x-java-serialized-object (only used when + * allowJavaSerializedObject or transferException is enabled). When not + * set, the JVM-wide jdk.serialFilter is used if present; otherwise a + * conservative default filter denying java.net. and otherwise allowing + * java., javax. and org.apache.camel. packages is applied. + * + * The option is a: <code>java.lang.String</code> type. + * + * Group: security + * + * @param deserializationFilter the value to set + * @return the dsl builder + */ + default JettyComponentBuilder deserializationFilter(java.lang.String deserializationFilter) { + doSetProperty("deserializationFilter", deserializationFilter); + return this; + } + /** * Specifies the location of the Java keystore file, which contains the * Jetty server's own X.509 certificate in a key entry. @@ -756,6 +777,7 @@ public interface JettyComponentBuilderFactory { case "headerFilterStrategy": ((JettyHttpComponent12) component).setHeaderFilterStrategy((org.apache.camel.spi.HeaderFilterStrategy) value); return true; case "proxyHost": ((JettyHttpComponent12) component).setProxyHost((java.lang.String) value); return true; case "proxyPort": ((JettyHttpComponent12) component).setProxyPort((java.lang.Integer) value); return true; + case "deserializationFilter": ((JettyHttpComponent12) component).setDeserializationFilter((java.lang.String) value); return true; case "keystore": ((JettyHttpComponent12) component).setKeystore((java.lang.String) value); return true; case "socketConnectorProperties": ((JettyHttpComponent12) component).setSocketConnectorProperties((java.util.Map) value); return true; case "socketConnectors": ((JettyHttpComponent12) component).setSocketConnectors((java.util.Map) value); return true; diff --git a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/ServletComponentBuilderFactory.java b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/ServletComponentBuilderFactory.java index 50ffe3cda8c3..769a94c42e67 100644 --- a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/ServletComponentBuilderFactory.java +++ b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/ServletComponentBuilderFactory.java @@ -263,6 +263,27 @@ public interface ServletComponentBuilderFactory { doSetProperty("headerFilterStrategy", headerFilterStrategy); return this; } + + /** + * Sets an ObjectInputFilter pattern (jdk.serialFilter syntax) applied + * when deserializing Java objects from requests or responses with + * Content-Type application/x-java-serialized-object (only used when + * allowJavaSerializedObject or transferException is enabled). When not + * set, the JVM-wide jdk.serialFilter is used if present; otherwise a + * conservative default filter denying java.net. and otherwise allowing + * java., javax. and org.apache.camel. packages is applied. + * + * The option is a: <code>java.lang.String</code> type. + * + * Group: security + * + * @param deserializationFilter the value to set + * @return the dsl builder + */ + default ServletComponentBuilder deserializationFilter(java.lang.String deserializationFilter) { + doSetProperty("deserializationFilter", deserializationFilter); + return this; + } } class ServletComponentBuilderImpl @@ -289,6 +310,7 @@ public interface ServletComponentBuilderFactory { case "httpBinding": ((ServletComponent) component).setHttpBinding((org.apache.camel.http.common.HttpBinding) value); return true; case "httpConfiguration": ((ServletComponent) component).setHttpConfiguration((org.apache.camel.http.common.HttpConfiguration) value); return true; case "headerFilterStrategy": ((ServletComponent) component).setHeaderFilterStrategy((org.apache.camel.spi.HeaderFilterStrategy) value); return true; + case "deserializationFilter": ((ServletComponent) component).setDeserializationFilter((java.lang.String) value); return true; default: return false; } }
