Skip to content

Commit

Permalink
CAMEL-9309: Make it easier to turn on|off java transport over http
Browse files Browse the repository at this point in the history
  • Loading branch information
davsclaus committed Nov 12, 2015
1 parent b55aa95 commit 44e6a30
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ public class AhcComponent extends HeaderFilterStrategyComponent {
private AsyncHttpClientConfig clientConfig;
private AhcBinding binding;
private SSLContextParameters sslContextParameters;
private boolean allowJavaSerializedObject;

public AhcComponent() {
super(AhcEndpoint.class);
Expand Down Expand Up @@ -164,6 +165,20 @@ public void setSslContextParameters(SSLContextParameters sslContextParameters) {
this.sslContextParameters = sslContextParameters;
}

public boolean isAllowJavaSerializedObject() {
return allowJavaSerializedObject;
}

/**
* Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
* <p/>
* This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
* data from the request to Java and that can be a potential security risk.
*/
public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
this.allowJavaSerializedObject = allowJavaSerializedObject;
}

protected String createAddressUri(String uri, String remaining) {
return remaining;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,11 @@ protected void populateBody(RequestBuilder builder, AhcEndpoint endpoint, Exchan
Object data = in.getBody();
if (data != null) {
if (contentType != null && AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {

if (!endpoint.getComponent().isAllowJavaSerializedObject()) {
throw new CamelExchangeException("Content-type " + AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
}

// serialized java object
Serializable obj = in.getMandatoryBody(Serializable.class);
// write object to output stream
Expand Down Expand Up @@ -228,9 +233,12 @@ public void onComplete(AhcEndpoint endpoint, Exchange exchange, String url, Byte
}

Object body = is;
// if content type is a serialized java object then de-serialize it back to a Java object
// if content type is a serialized java object then de-serialize it back to a Java object but only if its allowed
// an exception can also be transffered as java object
if (contentType != null && contentType.equals(AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
body = AhcHelper.deserializeJavaObjectFromStream(is);
if (endpoint.getComponent().isAllowJavaSerializedObject() || endpoint.isTransferException()) {
body = AhcHelper.deserializeJavaObjectFromStream(is);
}
}

if (!endpoint.isThrowExceptionOnFailure()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import org.apache.camel.Exchange;
import org.apache.camel.Processor;
import org.apache.camel.builder.RouteBuilder;
import org.apache.camel.component.ahc.AhcComponent;
import org.apache.camel.component.ahc.AhcConstants;
import org.apache.camel.component.ahc.BaseAhcTest;
import org.junit.Test;
Expand All @@ -35,6 +36,9 @@ public boolean isUseRouteBuilder() {

@Test
public void testHttpSendJavaBodyAndReceiveString() throws Exception {
AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
ahc.setAllowJavaSerializedObject(true);

context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
Expand Down Expand Up @@ -66,6 +70,9 @@ public void process(Exchange exchange) throws Exception {

@Test
public void testHttpSendJavaBodyAndReceiveJavaBody() throws Exception {
AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
ahc.setAllowJavaSerializedObject(true);

context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
Expand Down Expand Up @@ -98,6 +105,9 @@ public void process(Exchange exchange) throws Exception {

@Test
public void testHttpSendStringAndReceiveJavaBody() throws Exception {
AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
ahc.setAllowJavaSerializedObject(true);

context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
Expand All @@ -123,4 +133,64 @@ public void process(Exchange exchange) throws Exception {
assertEquals("Camel rocks", reply.getName());
}

@Test
public void testNotAllowedReceive() throws Exception {
AhcComponent ahc = context.getComponent("ahc", AhcComponent.class);
ahc.setAllowJavaSerializedObject(false);

context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
from(getTestServerEndpointUri())
.process(new Processor() {
public void process(Exchange exchange) throws Exception {
String body = exchange.getIn().getBody(String.class);
assertNotNull(body);
assertEquals("Hello World", body);

MyCoolBean reply = new MyCoolBean(456, "Camel rocks");
exchange.getOut().setBody(reply);
exchange.getOut().setHeader(Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
}
});
}
});
context.start();

MyCoolBean reply = template.requestBody(getAhcEndpointUri(), "Hello World", MyCoolBean.class);
assertNull(reply);
}

@Test
public void testNotAllowed() throws Exception {
context.addRoutes(new RouteBuilder() {
@Override
public void configure() throws Exception {
from(getTestServerEndpointUri())
.process(new Processor() {
public void process(Exchange exchange) throws Exception {
String body = exchange.getIn().getBody(String.class);
assertNotNull(body);
assertEquals("Hello World", body);

MyCoolBean reply = new MyCoolBean(456, "Camel rocks");
exchange.getOut().setBody(reply);
exchange.getOut().setHeader(Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT);
}
});
}
});
context.start();

MyCoolBean cool = new MyCoolBean(123, "Camel");

try {
template.requestBodyAndHeader(getAhcEndpointUri(), cool,
Exchange.CONTENT_TYPE, AhcConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT, MyCoolBean.class);
fail("Should fail");
} catch (Exception e) {
assertTrue(e.getCause().getMessage().startsWith("Content-type application/x-java-serialized-object is not allowed"));
}
}

}

0 comments on commit 44e6a30

Please sign in to comment.