apache · davsclaus · Oct 6, 2020 · Oct 5, 2020
diff --git a/...el-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityHelper.java b/...el-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityHelper.java
@@ -16,39 +16,45 @@
  */
 package org.apache.camel.component.shiro.security;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectOutput;
-import java.io.ObjectOutputStream;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
-import org.apache.camel.util.IOHelper;
 import org.apache.shiro.crypto.CipherService;
 import org.apache.shiro.util.ByteSource;
 
 public final class ShiroSecurityHelper {
 
+    private static Pattern pattern = Pattern.compile("(\\d+):(.+)");
+
     private ShiroSecurityHelper() {
     }
 
-    public static ByteSource encrypt(ShiroSecurityToken securityToken, byte[] passPhrase, CipherService cipherService)
-            throws Exception {
-        ByteArrayOutputStream stream = new ByteArrayOutputStream();
-        ObjectOutput serialStream = new ObjectOutputStream(stream);
-        try {
-            serialStream.writeObject(securityToken);
-            return cipherService.encrypt(stream.toByteArray(), passPhrase);
-        } finally {
-            close(serialStream);
-            IOHelper.close(stream);
-        }
+    public static ByteSource encrypt(
+            ShiroSecurityToken securityToken, byte[] passPhrase, CipherService cipherService) {
+        byte[] data = serialize(securityToken);
+        return cipherService.encrypt(data, passPhrase);
     }
 
-    private static void close(ObjectOutput output) {
-        try {
-            output.close();
-        } catch (IOException e) {
-            // ignore
-        }
+    static byte[] serialize(ShiroSecurityToken token) {
+        StringBuilder sb = new StringBuilder().append(token.getUsername().length())
+                .append(":")
+                .append(token.getUsername())
+                .append(token.getPassword() != null ? token.getPassword() : "");
+        return sb.toString().getBytes();
     }
 
+    public static ShiroSecurityToken deserialize(byte[] data) {
+        String text = new String(data);
+
+        Matcher matcher = pattern.matcher(text);
+        if (!matcher.matches()) {
+            throw new IllegalStateException("Can not deserialize security token - token is probably corrupted.");
+        }
+        int length = Integer.parseInt(matcher.group(1));
+
+        String username = matcher.group(2).substring(0, length);
+        String password = matcher.group(2).substring(length);
+
+        return new ShiroSecurityToken(username, password);
+    }
 }
diff --git a/...shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityProcessor.java b/...shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityProcessor.java
@@ -16,20 +16,13 @@
  */
 package org.apache.camel.component.shiro.security;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InvalidClassException;
-import java.io.ObjectInputStream;
-import java.io.ObjectStreamClass;
-
 import org.apache.camel.AsyncCallback;
 import org.apache.camel.CamelAuthorizationException;
 import org.apache.camel.CamelExchangeException;
 import org.apache.camel.Exchange;
 import org.apache.camel.Processor;
 import org.apache.camel.support.ExchangeHelper;
 import org.apache.camel.support.processor.DelegateAsyncProcessor;
-import org.apache.camel.util.IOHelper;
 import org.apache.camel.util.ObjectHelper;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
@@ -122,24 +115,7 @@ private void applySecurityPolicy(Exchange exchange) throws Exception {
 
         ByteSource decryptedToken = policy.getCipherService().decrypt(encryptedToken.getBytes(), policy.getPassPhrase());
 
-        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decryptedToken.getBytes());
-        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream) {
-            @Override
-            protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
-                if (!(desc.getName().equals(ShiroSecurityToken.class.getName())
-                        || "java.lang.String".equals(desc.getName()))) {
-                    throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
-                }
-                return super.resolveClass(desc);
-            }
-
-        };
-        ShiroSecurityToken securityToken;
-        try {
-            securityToken = (ShiroSecurityToken) objectInputStream.readObject();
-        } finally {
-            IOHelper.close(objectInputStream, byteArrayInputStream);
-        }
+        ShiroSecurityToken securityToken = ShiroSecurityHelper.deserialize(decryptedToken.getBytes());
 
         Subject currentUser = SecurityUtils.getSubject();
 

diff --git a/...o/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java b/...o/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
@@ -93,5 +93,4 @@ public boolean isBase64() {
     public void setBase64(boolean base64) {
         this.base64 = base64;
     }
-
 }
diff --git a/...hiro/src/test/java/org/apache/camel/component/shiro/security/ShiroSecurityHelperTest.java b/...hiro/src/test/java/org/apache/camel/component/shiro/security/ShiroSecurityHelperTest.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.shiro.security;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class ShiroSecurityHelperTest {
+
+    @Test
+    public void testSerializeAndDeserialize() {
+        test("user", "password");
+    }
+
+    @Test
+    public void testSerializeAndDeserializeEmptyPassword() {
+        test("user", "");
+        test("user", null);
+    }
+
+    private void test(String username, String password) {
+        ShiroSecurityToken token = new ShiroSecurityToken(username, password);
+
+        byte[] data = ShiroSecurityHelper.serialize(token);
+        ShiroSecurityToken deserializedToken = ShiroSecurityHelper.deserialize(data);
+
+        assertEquals(token.getUsername(), deserializedToken.getUsername());
+        assertEquals(token.getPassword() != null ? token.getPassword() : "", deserializedToken.getPassword());
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -93,5 +93,4 @@ public boolean isBase64() { @@
         public void setBase64(boolean base64) {
             this.base64 = base64;
         }
     }