Skip to content

Commit

Permalink
CAMEL-9309: Make it easier to turn on|off java transport over http
Browse files Browse the repository at this point in the history
  • Loading branch information
@davsclaus
davsclaus committed Nov 12, 2015
1 parent 32eacda commit 94330f9
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 18 deletions.
38 changes: 24 additions & 14 deletions ...ents/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
View file
Expand Up @@ -74,6 +74,7 @@ public class DefaultHttpBinding implements HttpBinding {
private boolean useReaderForPayload;
private boolean eagerCheckContentAvailable;
private boolean transferException;
private boolean allowJavaSerializedObject;
private HeaderFilterStrategy headerFilterStrategy = new HttpHeaderFilterStrategy();

public DefaultHttpBinding() {
Expand All @@ -88,6 +89,7 @@ public DefaultHttpBinding(HeaderFilterStrategy headerFilterStrategy) {
public DefaultHttpBinding(HttpCommonEndpoint endpoint) {
this.headerFilterStrategy = endpoint.getHeaderFilterStrategy();
this.transferException = endpoint.isTransferException();
this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
}

public void readRequest(HttpServletRequest request, HttpMessage message) {
Expand Down Expand Up @@ -151,14 +153,18 @@ public void readRequest(HttpServletRequest request, HttpMessage message) {

// if content type is serialized java object, then de-serialize it to a Java object
if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) {
try {
InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext());
if (object != null) {
message.setBody(object);
if (allowJavaSerializedObject || isTransferException()) {
try {
InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext());
if (object != null) {
message.setBody(object);
}
} catch (Exception e) {
throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
}
} catch (Exception e) {
throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
} else {
throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
}
}

Expand Down Expand Up @@ -358,13 +364,17 @@ protected void doWriteDirectResponse(Message message, HttpServletResponse respon
// if content type is serialized Java object, then serialize and write it to the response
String contentType = message.getHeader(Exchange.CONTENT_TYPE, String.class);
if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
try {
Object object = message.getMandatoryBody(Serializable.class);
HttpHelper.writeObjectToServletResponse(response, object);
// object is written so return
return;
} catch (InvalidPayloadException e) {
throw new IOException(e);
if (allowJavaSerializedObject || isTransferException()) {
try {
Object object = message.getMandatoryBody(Serializable.class);
HttpHelper.writeObjectToServletResponse(response, object);
// object is written so return
return;
} catch (InvalidPayloadException e) {
throw new IOException(e);
}
} else {
throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
}
}

Expand Down
15 changes: 15 additions & 0 deletions ...nts/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java
View file
Expand Up @@ -22,6 +22,7 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent

protected HttpBinding httpBinding;
protected HttpConfiguration httpConfiguration;
protected boolean allowJavaSerializedObject;

public HttpCommonComponent(Class<? extends HttpCommonEndpoint> endpointClass) {
super(endpointClass);
Expand Down Expand Up @@ -72,4 +73,18 @@ public void setHttpConfiguration(HttpConfiguration httpConfiguration) {
this.httpConfiguration = httpConfiguration;
}

public boolean isAllowJavaSerializedObject() {
return allowJavaSerializedObject;
}

/**
* Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
* <p/>
* This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
* data from the request to Java and that can be a potential security risk.
*/
public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
this.allowJavaSerializedObject = allowJavaSerializedObject;
}

}
23 changes: 19 additions & 4 deletions ...ents/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java
View file
Expand Up @@ -19,6 +19,7 @@
import java.net.URI;
import java.net.URISyntaxException;

import org.apache.camel.Component;
import org.apache.camel.impl.DefaultEndpoint;
import org.apache.camel.spi.HeaderFilterStrategy;
import org.apache.camel.spi.HeaderFilterStrategyAware;
Expand Down Expand Up @@ -69,8 +70,12 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head
int proxyPort;
@UriParam(label = "producer", enums = "Basic,Digest,NTLM", description = "Authentication method for proxy, either as Basic, Digest or NTLM.")
String authMethodPriority;
@UriParam(description = "Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server."
+ " This allows you to get all responses regardless of the HTTP status code.")
@UriParam(description = "If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized"
+ " in the response as a application/x-java-serialized-object content type."
+ " On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException."
+ " The caused exception is required to be serialized."
+ " This is by default turned off. If you enable this then be aware that Java will deserialize the incoming"
+ " data from the request to Java and that can be a potential security risk.")
boolean transferException;
@UriParam(label = "consumer",
description = "Specifies whether to enable HTTP TRACE for this Jetty consumer. By default TRACE is turned off.")
Expand Down Expand Up @@ -113,6 +118,11 @@ public void disconnect(HttpConsumer consumer) throws Exception {
component.disconnect(consumer);
}

@Override
public HttpCommonComponent getComponent() {
return (HttpCommonComponent) super.getComponent();
}

public boolean isLenientProperties() {
// true to allow dynamic URI options to be configured and passed to external system for eg. the HttpProducer
return true;
Expand Down Expand Up @@ -291,8 +301,13 @@ public boolean isTransferException() {
}

/**
* Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server.
* This allows you to get all responses regardless of the HTTP status code.
* If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized
* in the response as a application/x-java-serialized-object content type.
* On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException.
* The caused exception is required to be serialized.
* <p/>
* This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
* data from the request to Java and that can be a potential security risk.
*/
public void setTransferException(boolean transferException) {
this.transferException = transferException;
Expand Down

0 comments on commit 94330f9

Please sign in to comment.