CAMEL-9309: Make it easier to turn on|off java transport over http

Author: davsclaus

components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java

@@ -89,7 +89,9 @@ public DefaultHttpBinding(HeaderFilterStrategy headerFilterStrategy) {
     public DefaultHttpBinding(HttpCommonEndpoint endpoint) {
         this.headerFilterStrategy = endpoint.getHeaderFilterStrategy();
         this.transferException = endpoint.isTransferException();
-        this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
+        if (endpoint.getComponent() != null) {
+            this.allowJavaSerializedObject = endpoint.getComponent().isAllowJavaSerializedObject();
+        }
     }
 
     public void readRequest(HttpServletRequest request, HttpMessage message) {
@@ -153,6 +155,7 @@ public void readRequest(HttpServletRequest request, HttpMessage message) {
 
         // if content type is serialized java object, then de-serialize it to a Java object
         if (request.getContentType() != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(request.getContentType())) {
+            // only deserialize java if allowed
             if (allowJavaSerializedObject || isTransferException()) {
                 try {
                     InputStream is = message.getExchange().getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, body);
@@ -164,7 +167,8 @@ public void readRequest(HttpServletRequest request, HttpMessage message) {
                     throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
                 }
             } else {
-                throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
+                // set empty body
+                message.setBody(null);
             }
         }
 

components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java

@@ -337,4 +337,16 @@ public void setHttpConfiguration(HttpConfiguration httpConfiguration) {
         // need to override and call super for component docs
         super.setHttpConfiguration(httpConfiguration);
     }
+
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    @Override
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        // need to override and call super for component docs
+        super.setAllowJavaSerializedObject(allowJavaSerializedObject);
+    }
 }

components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java

@@ -32,6 +32,7 @@
 import org.apache.camel.CamelExchangeException;
 import org.apache.camel.Exchange;
 import org.apache.camel.Message;
+import org.apache.camel.RuntimeCamelException;
 import org.apache.camel.component.file.GenericFile;
 import org.apache.camel.converter.stream.CachedOutputStream;
 import org.apache.camel.http.common.HttpConstants;
@@ -280,7 +281,7 @@ protected static Map<String, String> extractResponseHeaders(Header[] responseHea
      * @return the response either as a stream, or as a deserialized java object
      * @throws IOException can be thrown
      */
-    protected static Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
+    protected Object extractResponseBody(HttpMethod method, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException {
         InputStream is = method.getResponseBodyAsStream();
         if (is == null) {
             return null;
@@ -304,7 +305,13 @@ protected static Object extractResponseBody(HttpMethod method, Exchange exchange
 
         // if content type is a serialized java object then de-serialize it back to a Java object
         if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) {
-            return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+            // only deserialize java if allowed
+            if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) {
+                return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+            } else {
+                // empty response
+                return null;
+            }
         } else {
             InputStream response = null;
             if (!ignoreResponseBody) {
@@ -418,6 +425,9 @@ protected RequestEntity createRequestEntity(Exchange exchange) throws CamelExcha
                     String contentType = ExchangeHelper.getContentType(exchange);
 
                     if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
+                        if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+                            throw new CamelExchangeException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange);
+                        }
                         // serialized java object
                         Serializable obj = in.getMandatoryBody(Serializable.class);
                         // write object to output stream