CAMEL-9309: Make it easier to turn on|off java transport over http

Conflicts: components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
apache · Nov 12, 2015 · 4f065fe · 4f065fe
1 parent 13e43c1
commit 4f065fe
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
@@ -66,6 +66,7 @@ public class HttpComponent extends HeaderFilterStrategyComponent {
     protected SSLContextParameters sslContextParameters;
     protected X509HostnameVerifier x509HostnameVerifier = new BrowserCompatHostnameVerifier();
     protected CookieStore cookieStore;
+    protected boolean allowJavaSerializedObject;
 
     // options to the default created http connection manager
     protected int maxTotalConnections = 200;
@@ -377,6 +378,21 @@ public void setHttpBinding(HttpBinding httpBinding) {
         this.httpBinding = httpBinding;
     }
 
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        // need to override and call super for component docs
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
     public HttpContext getHttpContext() {
         return httpContext;
     }

diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpEndpoint.java
@@ -19,6 +19,7 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
+import org.apache.camel.Component;
 import org.apache.camel.Consumer;
 import org.apache.camel.PollingConsumer;
 import org.apache.camel.Processor;
@@ -113,6 +114,11 @@ public HttpEndpoint(String endPointURI, HttpComponent component, URI httpURI, Ht
         this.clientConnectionManager = clientConnectionManager;
     }
 
+    @Override
+    public HttpComponent getComponent() {
+        return (HttpComponent) super.getComponent();
+    }
+
     public Producer createProducer() throws Exception {
         return new HttpProducer(this);
     }

diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
@@ -287,7 +287,7 @@ protected static Map<String, String> extractResponseHeaders(Header[] responseHea
      * @return the response either as a stream, or as a deserialized java object
      * @throws IOException can be thrown
      */
-    protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange) throws IOException, ClassNotFoundException {
+    protected Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange) throws IOException, ClassNotFoundException {
         HttpEntity entity = httpResponse.getEntity();
         if (entity == null) {
             return null;
@@ -315,7 +315,13 @@ protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpRes
         InputStream response = doExtractResponseBodyAsStream(is, exchange);
         // if content type is a serialized java object then de-serialize it back to a Java object
         if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
-            return HttpHelper.deserializeJavaObjectFromStream(response);
+            // only deserialize java if allowed
+            if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) {
+                return HttpHelper.deserializeJavaObjectFromStream(response);
+            } else {
+                // empty response
+                return null;
+            }
         } else {
             return response;
         }
@@ -424,6 +430,9 @@ protected HttpEntity createRequestEntity(Exchange exchange) throws CamelExchange
                     }
 
                     if (contentTypeString != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString)) {
+                        if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+                            throw new CamelExchangeException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
+                        }
                         // serialized java object
                         Serializable obj = in.getMandatoryBody(Serializable.class);
                         // write object to output stream