Skip to content

Commit

Permalink
CAMEL-9309: Make it easier to turn on|off java transport over http
Browse files Browse the repository at this point in the history
  • Loading branch information
davsclaus committed Nov 12, 2015
1 parent c558f30 commit 92081b2
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,18 @@ public void setHttpConfiguration(HttpConfiguration httpConfiguration) {
super.setHttpConfiguration(httpConfiguration);
}

/**
* Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
* <p/>
* This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
* data from the request to Java and that can be a potential security risk.
*/
@Override
public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
// need to override and call super for component docs
super.setAllowJavaSerializedObject(allowJavaSerializedObject);
}

public HttpContext getHttpContext() {
return httpContext;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,7 @@ protected static Map<String, String> extractResponseHeaders(Header[] responseHea
* @return the response either as a stream, or as a deserialized java object
* @throws IOException can be thrown
*/
protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
protected Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
HttpEntity entity = httpResponse.getEntity();
if (entity == null) {
return null;
Expand All @@ -331,7 +331,13 @@ protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpRes
}
// if content type is a serialized java object then de-serialize it back to a Java object
if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
// only deserialize java if allowed
if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) {
return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
} else {
// empty response
return null;
}
} else {
InputStream response = null;
if (!ignoreResponseBody) {
Expand Down Expand Up @@ -444,6 +450,9 @@ protected HttpEntity createRequestEntity(Exchange exchange) throws CamelExchange
}

if (contentTypeString != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString)) {
if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
throw new CamelExchangeException("Content-type " + org.apache.camel.http.common.HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
}
// serialized java object
Serializable obj = in.getMandatoryBody(Serializable.class);
// write object to output stream
Expand Down

0 comments on commit 92081b2

Please sign in to comment.