CAMEL-9309: Make it easier to turn on|off java transport over http

Author: davsclaus

components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java

@@ -74,6 +74,7 @@ public class DefaultHttpBinding implements HttpBinding {
     private boolean useReaderForPayload;
     private boolean eagerCheckContentAvailable;
     private boolean transferException;
+    private boolean allowJavaSerializedObject;
     private HeaderFilterStrategy headerFilterStrategy = new HttpHeaderFilterStrategy();
 
     public DefaultHttpBinding() {
@@ -88,6 +89,7 @@ public DefaultHttpBinding(HeaderFilterStrategy headerFilterStrategy) {
     public DefaultHttpBinding(HttpCommonEndpoint endpoint) {
         this.headerFilterStrategy = endpoint.getHeaderFilterStrategy();
         this.transferException = endpoint.isTransferException();
+        this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
     }
 
     public void readRequest(HttpServletRequest request, HttpMessage message) {
@@ -151,14 +153,18 @@ public void readRequest(HttpServletRequest request, HttpMessage message) {
 
         // if content type is serialized java object, then de-serialize it to a Java object
         if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) {
-            try {
-                InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
-                Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext());
-                if (object != null) {
-                    message.setBody(object);
+            if (allowJavaSerializedObject || isTransferException()) {
+                try {
+                    InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
+                    Object object = HttpHelper.deserializeJavaObjectFromStream(is, message.getExchange().getContext());
+                    if (object != null) {
+                        message.setBody(object);
+                    }
+                } catch (Exception e) {
+                    throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
                 }
-            } catch (Exception e) {
-                throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
+            } else {
+                throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
             }
         }
 
@@ -358,13 +364,17 @@ protected void doWriteDirectResponse(Message message, HttpServletResponse respon
         // if content type is serialized Java object, then serialize and write it to the response
         String contentType = message.getHeader(Exchange.CONTENT_TYPE, String.class);
         if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
-            try {
-                Object object = message.getMandatoryBody(Serializable.class);
-                HttpHelper.writeObjectToServletResponse(response, object);
-                // object is written so return
-                return;
-            } catch (InvalidPayloadException e) {
-                throw new IOException(e);
+            if (allowJavaSerializedObject || isTransferException()) {
+                try {
+                    Object object = message.getMandatoryBody(Serializable.class);
+                    HttpHelper.writeObjectToServletResponse(response, object);
+                    // object is written so return
+                    return;
+                } catch (InvalidPayloadException e) {
+                    throw new IOException(e);
+                }
+            } else {
+                throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
             }
         }
 

components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonComponent.java

@@ -22,6 +22,7 @@ public abstract class HttpCommonComponent extends HeaderFilterStrategyComponent
 
     protected HttpBinding httpBinding;
     protected HttpConfiguration httpConfiguration;
+    protected boolean allowJavaSerializedObject;
 
     public HttpCommonComponent(Class<? extends HttpCommonEndpoint> endpointClass) {
         super(endpointClass);
@@ -72,4 +73,18 @@ public void setHttpConfiguration(HttpConfiguration httpConfiguration) {
         this.httpConfiguration = httpConfiguration;
     }
 
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
 }

components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java

@@ -19,6 +19,7 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
+import org.apache.camel.Component;
 import org.apache.camel.impl.DefaultEndpoint;
 import org.apache.camel.spi.HeaderFilterStrategy;
 import org.apache.camel.spi.HeaderFilterStrategyAware;
@@ -69,8 +70,12 @@ public abstract class HttpCommonEndpoint extends DefaultEndpoint implements Head
     int proxyPort;
     @UriParam(label = "producer", enums = "Basic,Digest,NTLM", description = "Authentication method for proxy, either as Basic, Digest or NTLM.")
     String authMethodPriority;
-    @UriParam(description = "Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server."
-            + " This allows you to get all responses regardless of the HTTP status code.")
+    @UriParam(description = "If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized"
+            + " in the response as a application/x-java-serialized-object content type."
+            + " On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException."
+            + " The caused exception is required to be serialized."
+            + " This is by default turned off. If you enable this then be aware that Java will deserialize the incoming"
+            + " data from the request to Java and that can be a potential security risk.")
     boolean transferException;
     @UriParam(label = "consumer",
             description = "Specifies whether to enable HTTP TRACE for this Jetty consumer. By default TRACE is turned off.")
@@ -113,6 +118,11 @@ public void disconnect(HttpConsumer consumer) throws Exception {
         component.disconnect(consumer);
     }
 
+    @Override
+    public HttpCommonComponent getComponent() {
+        return (HttpCommonComponent) super.getComponent();
+    }
+
     public boolean isLenientProperties() {
         // true to allow dynamic URI options to be configured and passed to external system for eg. the HttpProducer
         return true;
@@ -291,8 +301,13 @@ public boolean isTransferException() {
     }
 
     /**
-     * Option to disable throwing the HttpOperationFailedException in case of failed responses from the remote server.
-     * This allows you to get all responses regardless of the HTTP status code.
+     * If enabled and an Exchange failed processing on the consumer side, and if the caused Exception was send back serialized
+     * in the response as a application/x-java-serialized-object content type.
+     * On the producer side the exception will be deserialized and thrown as is, instead of the HttpOperationFailedException.
+     * The caused exception is required to be serialized.
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      */
     public void setTransferException(boolean transferException) {
         this.transferException = transferException;