You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2015/11/12 14:50:10 UTC
[04/10] camel git commit: CAMEL-9309: Make it easier to turn on|off
java transport over http
CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/c47cffca
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/c47cffca
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/c47cffca
Branch: refs/heads/master
Commit: c47cffcadabca0c588753555a386942184a33627
Parents: 94330f9
Author: Claus Ibsen <da...@apache.org>
Authored: Thu Nov 12 11:28:17 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Thu Nov 12 14:52:46 2015 +0100
----------------------------------------------------------------------
.../apache/camel/http/common/DefaultHttpBinding.java | 8 ++++++--
.../apache/camel/component/http/HttpComponent.java | 12 ++++++++++++
.../org/apache/camel/component/http/HttpProducer.java | 14 ++++++++++++--
3 files changed, 30 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
----------------------------------------------------------------------
diff --git a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
index 6752f3b..9e22665 100644
--- a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
+++ b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
@@ -89,7 +89,9 @@ public class DefaultHttpBinding implements HttpBinding {
public DefaultHttpBinding(HttpCommonEndpoint endpoint) {
this.headerFilterStrategy = endpoint.getHeaderFilterStrategy();
this.transferException = endpoint.isTransferException();
- this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
+ if (endpoint.getComponent() != null) {
+ this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
+ }
}
public void readRequest(HttpServletRequest request, HttpMessage message) {
@@ -153,6 +155,7 @@ public class DefaultHttpBinding implements HttpBinding {
// if content type is serialized java object, then de-serialize it to a Java object
if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) {
+ // only deserialize java if allowed
if (allowJavaSerializedObject || isTransferException()) {
try {
InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
@@ -164,7 +167,8 @@ public class DefaultHttpBinding implements HttpBinding {
throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
}
} else {
- throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
+ // set empty body
+ message.setBody(null);
}
}
http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
----------------------------------------------------------------------
diff --git a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
index 3599c64..104ff84 100644
--- a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
+++ b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
@@ -337,4 +337,16 @@ public class HttpComponent extends HttpCommonComponent {
// need to override and call super for component docs
super.setHttpConfiguration(httpConfiguration);
}
+
+ /**
+ * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+ * <p/>
+ * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+ * data from the request to Java and that can be a potential security risk.
+ */
+ @Override
+ public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+ // need to override and call super for component docs
+ super.setAllowJavaSerializedObject(allowJavaSerializedObject);
+ }
}
http://git-wip-us.apache.org/repos/asf/camel/blob/c47cffca/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
----------------------------------------------------------------------
diff --git a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
index cbbd97c..c0c8809 100644
--- a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
+++ b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
@@ -32,6 +32,7 @@ import java.util.Map;
import org.apache.camel.CamelExchangeException;
import org.apache.camel.Exchange;
import org.apache.camel.Message;
+import org.apache.camel.RuntimeCamelException;
import org.apache.camel.component.file.GenericFile;
import org.apache.camel.converter.stream.CachedOutputStream;
import org.apache.camel.http.common.HttpConstants;
@@ -280,7 +281,7 @@ public class HttpProducer extends DefaultProducer {
* @return the response either as a stream, or as a deserialized java object
* @throws IOException can be thrown
*/
- protected static Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
+ protected Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
InputStream is = method.getResponseBodyAsStream();
if (is == null) {
return null;
@@ -304,7 +305,13 @@ public class HttpProducer extends DefaultProducer {
// if content type is a serialized java object then de-serialize it back to a Java object
if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
- return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+ // only deserialize java if allowed
+ if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) {
+ return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+ } else {
+ // empty response
+ return null;
+ }
} else {
InputStream response = null;
if (!ignoreResponseBody) {
@@ -418,6 +425,9 @@ public class HttpProducer extends DefaultProducer {
String contentType = ExchangeHelper.getContentType(exchange);
if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
+ if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+ throw new CamelExchangeException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
+ }
// serialized java object
Serializable obj = in.getMandatoryBody(Serializable.class);
// write object to output stream