You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2015/11/12 14:50:09 UTC
[03/10] camel git commit: CAMEL-9309: Make it easier to turn on|off
java transport over http
CAMEL-9309: Make it easier to turn on|off java transport over http
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/a68434c2
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/a68434c2
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/a68434c2
Branch: refs/heads/master
Commit: a68434c258cdcd30587ae7adc5dabbac43eadbbf
Parents: 39841c6
Author: Claus Ibsen <da...@apache.org>
Authored: Thu Nov 12 11:05:30 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Thu Nov 12 14:52:45 2015 +0100
----------------------------------------------------------------------
.../camel/component/ahc/AhcComponent.java | 15 +++++
.../camel/component/ahc/DefaultAhcBinding.java | 12 +++-
.../ahc/javabody/AhcProduceJavaBodyTest.java | 70 ++++++++++++++++++++
3 files changed, 95 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/a68434c2/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
----------------------------------------------------------------------
diff --git a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
index 9077b23..75b0015 100644
--- a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
+++ b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcComponent.java
@@ -47,6 +47,7 @@ public class AhcComponent extends HeaderFilterStrategyComponent {
private AsyncHttpClientConfig clientConfig;
private AhcBinding binding;
private SSLContextParameters sslContextParameters;
+ private boolean allowJavaSerializedObject;
public AhcComponent() {
super(AhcEndpoint.class);
@@ -164,6 +165,20 @@ public class AhcComponent extends HeaderFilterStrategyComponent {
this.sslContextParameters = sslContextParameters;
}
+ public boolean isAllowJavaSerializedObject() {
+ return allowJavaSerializedObject;
+ }
+
+ /**
+ * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+ * <p/>
+ * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+ * data from the request to Java and that can be a potential security risk.
+ */
+ public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+ this.allowJavaSerializedObject = allowJavaSerializedObject;
+ }
+
protected String createAddressUri(String uri, String remaining) {
return remaining;
}
http://git-wip-us.apache.org/repos/asf/camel/blob/a68434c2/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
----------------------------------------------------------------------
diff --git a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
index a7fd405..15fea80 100644
--- a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
+++ b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/DefaultAhcBinding.java
@@ -126,6 +126,11 @@ public class DefaultAhcBinding implements AhcBinding {
Object data = in.getBody();
if (data != null) {
if (contentType != null && AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
+
+ if (!endpoint.getComponent().isAllowJavaSerializedObject()) {
+ throw new CamelExchangeException("Content-type " + AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
+ }
+
// serialized java object
Serializable obj = in.getMandatoryBody(Serializable.class);
// write object to output stream
@@ -228,9 +233,12 @@ public class DefaultAhcBinding implements AhcBinding {
}
Object body = is;
- // if content type is a serialized java object then de-serialize it back to a Java object
+ // if content type is a serialized java object then de-serialize it back to a Java object but only if its allowed
+ // an exception can also be transffered as java object
if (contentType != null && contentType.equals(AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
- body = AhcHelper.deserializeJavaObjectFromStream(is);
+ if (endpoint.getComponent().isAllowJavaSerializedObject() || endpoint.isTransferException()) {
+ body = AhcHelper.deserializeJavaObjectFromStream(is);
+ }
}
if (!endpoint.isThrowExceptionOnFailure()) {
http://git-wip-us.apache.org/repos/asf/camel/blob/a68434c2/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
----------------------------------------------------------------------
diff --git a/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
index 87a2d22..8b3f395 100644
--- a/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
+++ b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/javabody/AhcProduceJavaBodyTest.java
@@ -19,6 +19,7 @@ package org.apache.camel.component.ahc.javabody;
import org.apache.camel.Exchange;
import org.apache.camel.Processor;
import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.component.ahc.AhcComponent;
import org.apache.camel.component.ahc.AhcConstants;
import org.apache.camel.component.ahc.BaseAhcTest;
import org.junit.Test;
@@ -35,6 +36,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
@Test
public void testHttpSendJavaBodyAndReceiveString() throws Exception {
+ AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+ ahc.setAllowJavaSerializedObject(true);
+
context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
@@ -66,6 +70,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
@Test
public void testHttpSendJavaBodyAndReceiveJavaBody() throws Exception {
+ AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+ ahc.setAllowJavaSerializedObject(true);
+
context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
@@ -98,6 +105,9 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
@Test
public void testHttpSendStringAndReceiveJavaBody() throws Exception {
+ AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+ ahc.setAllowJavaSerializedObject(true);
+
context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
@@ -123,4 +133,64 @@ public class AhcProduceJavaBodyTest extends BaseAhcTest {
assertEquals("Camel rocks", reply.getName());
}
+ @Test
+ public void testNotAllowedReceive() throws Exception {
+ AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
+ ahc.setAllowJavaSerializedObject(false);
+
+ context.addRoutes(new RouteBuilder() {
+ @Override
+ public void configure() throws Exception {
+ from(getTestServerEndpointUri())
+ .process(new Processor() {
+ public void process(Exchange exchange) throws Exception {
+ String body = exchange.getIn().getBody(String.class);
+ assertNotNull(body);
+ assertEquals("Hello World", body);
+
+ MyCoolBean reply = new MyCoolBean(456, "Camel rocks");
+ exchange.getOut().setBody(reply);
+ exchange.getOut().setHeader(Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
+ }
+ });
+ }
+ });
+ context.start();
+
+ MyCoolBean reply = template.requestBody(getAhcEndpointUri(), "Hello World", MyCoolBean.class);
+ assertNull(reply);
+ }
+
+ @Test
+ public void testNotAllowed() throws Exception {
+ context.addRoutes(new RouteBuilder() {
+ @Override
+ public void configure() throws Exception {
+ from(getTestServerEndpointUri())
+ .process(new Processor() {
+ public void process(Exchange exchange) throws Exception {
+ String body = exchange.getIn().getBody(String.class);
+ assertNotNull(body);
+ assertEquals("Hello World", body);
+
+ MyCoolBean reply = new MyCoolBean(456, "Camel rocks");
+ exchange.getOut().setBody(reply);
+ exchange.getOut().setHeader(Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
+ }
+ });
+ }
+ });
+ context.start();
+
+ MyCoolBean cool = new MyCoolBean(123, "Camel");
+
+ try {
+ template.requestBodyAndHeader(getAhcEndpointUri(), cool,
+ Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT, MyCoolBean.class);
+ fail("Should fail");
+ } catch (Exception e) {
+ assertTrue(e.getCause().getMessage().startsWith("Content-type application/x-java-serialized-object is not allowed"));
+ }
+ }
+
}