CAMEL-9309: Make it easier to turn on|off java transport over http

Author: davsclaus

components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcEndpoint.java

@@ -179,6 +179,9 @@ public boolean isTransferException() {
      * in the response as a application/x-java-serialized-object content type (for example using Jetty or Servlet Camel components).
      * On the producer side the exception will be deserialized and thrown as is, instead of the AhcOperationFailedException.
      * The caused exception is required to be serialized.
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      */
     public void setTransferException(boolean transferException) {
         this.transferException = transferException;

components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java

@@ -531,6 +531,14 @@ public void setTransferException(boolean transferException) {
         this.transferException = transferException;
     }
 
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
     public HeaderFilterStrategy getHeaderFilterStrategy() {
         return headerFilterStrategy;
     }

components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpBinding.java

@@ -118,9 +118,20 @@ public interface HttpBinding {
      * serialized in the response as a application/x-java-serialized-object content type (for example using Jetty or
      * Servlet Camel components). On the producer side the exception will be deserialized and thrown as is,
      * instead of the HttpOperationFailedException. The caused exception is required to be serialized.
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      */
     boolean isTransferException();
 
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    boolean isAllowJavaSerializedObject();
+
     /**
      * Whether to eager check whether the HTTP requests has content if the content-length header is 0 or not present.
      * This can be turned on in case HTTP clients do not send streamed data.
@@ -138,9 +149,22 @@ public interface HttpBinding {
      * serialized in the response as a application/x-java-serialized-object content type (for example using Jetty or
      * Servlet Camel components). On the producer side the exception will be deserialized and thrown as is,
      * instead of the HttpOperationFailedException. The caused exception is required to be serialized.
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      */
     void setTransferException(boolean transferException);
 
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     *
+     * @param allowJavaSerializedObject <tt>true</tt> to allow serializing java objects
+     */
+    void setAllowJavaSerializedObject(boolean allowJavaSerializedObject);
+
     /**
      * Gets the header filter strategy
      *

components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpCommonEndpoint.java

@@ -19,7 +19,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
-import org.apache.camel.Component;
 import org.apache.camel.impl.DefaultEndpoint;
 import org.apache.camel.spi.HeaderFilterStrategy;
 import org.apache.camel.spi.HeaderFilterStrategyAware;
@@ -142,6 +141,9 @@ public HttpBinding getBinding() {
             binding = new DefaultHttpBinding();
             binding.setHeaderFilterStrategy(getHeaderFilterStrategy());
             binding.setTransferException(isTransferException());
+            if (getComponent() != null) {
+                binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject());
+            }
             binding.setEagerCheckContentAvailable(isEagerCheckContentAvailable());
         }
         return binding;

components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/CamelContinuationServlet.java

@@ -28,6 +28,7 @@
 import org.apache.camel.Exchange;
 import org.apache.camel.ExchangePattern;
 import org.apache.camel.http.common.CamelServlet;
+import org.apache.camel.http.common.HttpConstants;
 import org.apache.camel.http.common.HttpConsumer;
 import org.apache.camel.http.common.HttpHelper;
 import org.apache.camel.http.common.HttpMessage;
@@ -85,6 +86,14 @@ protected void service(final HttpServletRequest request, final HttpServletRespon
             response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
             return;
         }
+
+        // we do not support java serialized objects unless explicit enabled
+        String contentType = request.getContentType();
+        if (HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType) && !consumer.getEndpoint().getComponent().isAllowJavaSerializedObject()) {
+            System.out.println("415 miser !!!");
+            response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
+            return;
+        }
 
         final Exchange result = (Exchange) request.getAttribute(EXCHANGE_ATTRIBUTE_NAME);
         if (result == null) {

components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/DefaultJettyHttpBinding.java

@@ -46,6 +46,7 @@ public class DefaultJettyHttpBinding implements JettyHttpBinding {
     private HeaderFilterStrategy httpProtocolHeaderFilterStrategy = new HttpProtocolHeaderFilterStrategy();
     private boolean throwExceptionOnFailure;
     private boolean transferException;
+    private boolean allowJavaSerializedObject;
     private String okStatusCodeRange;
 
     public DefaultJettyHttpBinding() {
@@ -101,6 +102,14 @@ public void setTransferException(boolean transferException) {
         this.transferException = transferException;
     }
 
+    public boolean isAllowJavaSerializedObject() {
+        return allowJavaSerializedObject;
+    }
+
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        this.allowJavaSerializedObject = allowJavaSerializedObject;
+    }
+
     public String getOkStatusCodeRange() {
         return okStatusCodeRange;
     }
@@ -183,11 +192,17 @@ protected Object extractResponseBody(Exchange exchange, JettyContentExchange htt
 
         // if content type is serialized java object, then de-serialize it to a Java object
         if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
-            try {
-                InputStream is = exchange.getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, httpExchange.getResponseContentBytes());
-                return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
-            } catch (Exception e) {
-                throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
+            // only deserialize java if allowed
+            if (isAllowJavaSerializedObject() || isTransferException()) {
+                try {
+                    InputStream is = exchange.getContext().getTypeConverter().mandatoryConvertTo(InputStream.class, httpExchange.getResponseContentBytes());
+                    return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+                } catch (Exception e) {
+                    throw new RuntimeCamelException("Cannot deserialize body to Java object", e);
+                }
+            } else {
+                // empty body
+                return null;
             }
         } else {
             // just grab the raw content body

components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpBinding.java

@@ -70,6 +70,9 @@ public interface JettyHttpBinding {
     /**
      * Whether to transfer exception back as a serialized java object
      * if processing failed due to an exception
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      *
      * @param transferException <tt>true</tt> to transfer exception
      */
@@ -78,11 +81,32 @@ public interface JettyHttpBinding {
     /**
      * Whether to transfer exception back as a serialized java object
      * if processing failed due to an exception
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
      *
      * @return <tt>true</tt> to transfer exception
      */
     boolean isTransferException();
 
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     *
+     * @param allowJavaSerializedObject <tt>true</tt> to allow serializing java objects
+     */
+    void setAllowJavaSerializedObject(boolean allowJavaSerializedObject);
+
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    boolean isAllowJavaSerializedObject();
+
     /**
      * The status codes which is considered a success response. The values are inclusive. The range must be defined as from-to with the dash included.
      * <p/>

components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpEndpoint.java

@@ -192,6 +192,9 @@ public synchronized JettyHttpBinding getJettyBinding(HttpClient httpClient) {
             jettyBinding.setHeaderFilterStrategy(getHeaderFilterStrategy());
             jettyBinding.setThrowExceptionOnFailure(isThrowExceptionOnFailure());
             jettyBinding.setTransferException(isTransferException());
+            if (getComponent() != null) {
+                jettyBinding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject());
+            }
             jettyBinding.setOkStatusCodeRange(getOkStatusCodeRange());
         }
         return jettyBinding;

components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpProducer.java

@@ -30,9 +30,9 @@
 import org.apache.camel.Endpoint;
 import org.apache.camel.Exchange;
 import org.apache.camel.Message;
+import org.apache.camel.RuntimeCamelException;
 import org.apache.camel.http.common.HttpConstants;
 import org.apache.camel.http.common.HttpHelper;
-import org.apache.camel.http.common.HttpMethods;
 import org.apache.camel.impl.DefaultAsyncProducer;
 import org.apache.camel.spi.HeaderFilterStrategy;
 import org.apache.camel.util.ExchangeHelper;
@@ -138,17 +138,20 @@ private void processInternal(Exchange exchange, AsyncCallback callback) throws E
             if (contentType != null) {
                 httpExchange.setRequestContentType(contentType);
             }
-
             if (contentType != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentType)) {
-                // serialized java object
-                Serializable obj = exchange.getIn().getMandatoryBody(Serializable.class);
-                // write object to output stream
-                ByteArrayOutputStream bos = new ByteArrayOutputStream();
-                try {
-                    HttpHelper.writeObjectToStream(bos, obj);
-                    httpExchange.setRequestContent(bos.toByteArray());
-                } finally {
-                    IOHelper.close(bos, "body", LOG);
+                if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) {
+                    // serialized java object
+                    Serializable obj = exchange.getIn().getMandatoryBody(Serializable.class);
+                    // write object to output stream
+                    ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                    try {
+                        HttpHelper.writeObjectToStream(bos, obj);
+                        httpExchange.setRequestContent(bos.toByteArray());
+                    } finally {
+                        IOHelper.close(bos, "body", LOG);
+                    }
+                } else {
+                    throw new RuntimeCamelException("Content-type " + HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed");
                 }
             } else {
                 Object body = exchange.getIn().getBody();

components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpEndpoint9.java

@@ -40,6 +40,9 @@ public HttpBinding getBinding() {
         if (this.binding == null) {
             this.binding = new AttachmentHttpBinding();
             this.binding.setTransferException(isTransferException());
+            if (getComponent() != null) {
+                this.binding.setAllowJavaSerializedObject(getComponent().isAllowJavaSerializedObject());
+            }
             this.binding.setHeaderFilterStrategy(getHeaderFilterStrategy());
         }
         return this.binding;