diff --git a/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java b/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java index 9c897b8a7641..50f786d72747 100644 --- a/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java +++ b/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java @@ -48,7 +48,6 @@ * @author Juergen Hoeller * @since 1.1.3 * @see java.rmi.server.RMIClassLoader - * @see RemoteInvocationSerializingExporter#createObjectInputStream * @see org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor#setCodebaseUrl * @deprecated as of 5.3 (phasing out serialization-based remoting) */ diff --git a/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java b/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java deleted file mode 100644 index 99e81a4e27cf..000000000000 --- a/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.remoting.rmi; - -import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; -import java.io.OutputStream; -import java.rmi.RemoteException; - -import org.springframework.beans.factory.InitializingBean; -import org.springframework.remoting.support.RemoteInvocation; -import org.springframework.remoting.support.RemoteInvocationBasedExporter; -import org.springframework.remoting.support.RemoteInvocationResult; -import org.springframework.util.Assert; -import org.springframework.util.ClassUtils; - -/** - * Abstract base class for remote service exporters that explicitly deserialize - * {@link org.springframework.remoting.support.RemoteInvocation} objects and serialize - * {@link org.springframework.remoting.support.RemoteInvocationResult} objects, - * for example Spring's HTTP invoker. - * - *

Provides template methods for {@code ObjectInputStream} and - * {@code ObjectOutputStream} handling. - * - * @author Juergen Hoeller - * @since 2.5.1 - * @see java.io.ObjectInputStream - * @see java.io.ObjectOutputStream - * @see #doReadRemoteInvocation - * @see #doWriteRemoteInvocationResult - * @deprecated as of 5.3 (phasing out serialization-based remoting) - */ -@Deprecated -public abstract class RemoteInvocationSerializingExporter extends RemoteInvocationBasedExporter - implements InitializingBean { - - /** - * Default content type: "application/x-java-serialized-object". - */ - public static final String CONTENT_TYPE_SERIALIZED_OBJECT = "application/x-java-serialized-object"; - - - private String contentType = CONTENT_TYPE_SERIALIZED_OBJECT; - - private boolean acceptProxyClasses = true; - - private Object proxy; - - - /** - * Specify the content type to use for sending remote invocation responses. - *

Default is "application/x-java-serialized-object". - */ - public void setContentType(String contentType) { - Assert.notNull(contentType, "'contentType' must not be null"); - this.contentType = contentType; - } - - /** - * Return the content type to use for sending remote invocation responses. - */ - public String getContentType() { - return this.contentType; - } - - /** - * Set whether to accept deserialization of proxy classes. - *

Default is "true". May be deactivated as a security measure. - */ - public void setAcceptProxyClasses(boolean acceptProxyClasses) { - this.acceptProxyClasses = acceptProxyClasses; - } - - /** - * Return whether to accept deserialization of proxy classes. - */ - public boolean isAcceptProxyClasses() { - return this.acceptProxyClasses; - } - - - @Override - public void afterPropertiesSet() { - prepare(); - } - - /** - * Initialize this service exporter. - */ - public void prepare() { - this.proxy = getProxyForService(); - } - - protected final Object getProxy() { - if (this.proxy == null) { - throw new IllegalStateException(ClassUtils.getShortName(getClass()) + " has not been initialized"); - } - return this.proxy; - } - - - /** - * Create an ObjectInputStream for the given InputStream. - *

The default implementation creates a Spring {@link CodebaseAwareObjectInputStream}. - * @param is the InputStream to read from - * @return the new ObjectInputStream instance to use - * @throws java.io.IOException if creation of the ObjectInputStream failed - */ - protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException { - return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses()); - } - - /** - * Perform the actual reading of an invocation result object from the - * given ObjectInputStream. - *

The default implementation simply calls - * {@link java.io.ObjectInputStream#readObject()}. - * Can be overridden for deserialization of a custom wrapper object rather - * than the plain invocation, for example an encryption-aware holder. - * @param ois the ObjectInputStream to read from - * @return the RemoteInvocationResult object - * @throws java.io.IOException in case of I/O failure - * @throws ClassNotFoundException if case of a transferred class not - * being found in the local ClassLoader - */ - protected RemoteInvocation doReadRemoteInvocation(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - - Object obj = ois.readObject(); - if (!(obj instanceof RemoteInvocation)) { - throw new RemoteException("Deserialized object needs to be assignable to type [" + - RemoteInvocation.class.getName() + "]: " + ClassUtils.getDescriptiveType(obj)); - } - return (RemoteInvocation) obj; - } - - /** - * Create an ObjectOutputStream for the given OutputStream. - *

The default implementation creates a plain - * {@link java.io.ObjectOutputStream}. - * @param os the OutputStream to write to - * @return the new ObjectOutputStream instance to use - * @throws java.io.IOException if creation of the ObjectOutputStream failed - */ - protected ObjectOutputStream createObjectOutputStream(OutputStream os) throws IOException { - return new ObjectOutputStream(os); - } - - /** - * Perform the actual writing of the given invocation result object - * to the given ObjectOutputStream. - *

The default implementation simply calls - * {@link java.io.ObjectOutputStream#writeObject}. - * Can be overridden for serialization of a custom wrapper object rather - * than the plain invocation, for example an encryption-aware holder. - * @param result the RemoteInvocationResult object - * @param oos the ObjectOutputStream to write to - * @throws java.io.IOException if thrown by I/O methods - */ - protected void doWriteRemoteInvocationResult(RemoteInvocationResult result, ObjectOutputStream oos) - throws IOException { - - oos.writeObject(result); - } - -} diff --git a/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java b/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java index f72fb9fdba8e..aa9a9f235150 100644 --- a/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java +++ b/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java @@ -121,7 +121,6 @@ public void setExecutor(Executor executor) { * for specific context paths. * @param contexts a Map with context paths as keys and HttpHandler * objects as values - * @see org.springframework.remoting.httpinvoker.SimpleHttpInvokerServiceExporter * @see org.springframework.remoting.caucho.SimpleHessianServiceExporter */ public void setContexts(Map contexts) { diff --git a/spring-web/src/main/java/org/springframework/remoting/httpinvoker/SimpleHttpInvokerServiceExporter.java b/spring-web/src/main/java/org/springframework/remoting/httpinvoker/SimpleHttpInvokerServiceExporter.java deleted file mode 100644 index b4bc68011367..000000000000 --- a/spring-web/src/main/java/org/springframework/remoting/httpinvoker/SimpleHttpInvokerServiceExporter.java +++ /dev/null @@ -1,181 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.remoting.httpinvoker; - -import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; -import java.io.OutputStream; - -import com.sun.net.httpserver.HttpExchange; -import com.sun.net.httpserver.HttpHandler; - -import org.springframework.remoting.support.RemoteInvocation; -import org.springframework.remoting.support.RemoteInvocationResult; - -/** - * HTTP request handler that exports the specified service bean as - * HTTP invoker service endpoint, accessible via an HTTP invoker proxy. - * Designed for Sun's JRE 1.6 HTTP server, implementing the - * {@link com.sun.net.httpserver.HttpHandler} interface. - * - *

Deserializes remote invocation objects and serializes remote invocation - * result objects. Uses Java serialization just like RMI, but provides the - * same ease of setup as Caucho's HTTP-based Hessian protocol. - * - *

HTTP invoker is the recommended protocol for Java-to-Java remoting. - * It is more powerful and more extensible than Hessian, at the expense of - * being tied to Java. Nevertheless, it is as easy to set up as Hessian, - * which is its main advantage compared to RMI. - * - *

WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: - * Manipulated input streams could lead to unwanted code execution on the server - * during the deserialization step. As a consequence, do not expose HTTP invoker - * endpoints to untrusted clients but rather just between your own services. - * In general, we strongly recommend any other message format (e.g. JSON) instead. - * - * @author Juergen Hoeller - * @since 2.5.1 - * @see org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor - * @see org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean - */ -@Deprecated -@org.springframework.lang.UsesSunHttpServer -public class SimpleHttpInvokerServiceExporter extends org.springframework.remoting.rmi.RemoteInvocationSerializingExporter implements HttpHandler { - - /** - * Reads a remote invocation from the request, executes it, - * and writes the remote invocation result to the response. - * @see #readRemoteInvocation(HttpExchange) - * @see #invokeAndCreateResult(RemoteInvocation, Object) - * @see #writeRemoteInvocationResult(HttpExchange, RemoteInvocationResult) - */ - @Override - public void handle(HttpExchange exchange) throws IOException { - try { - RemoteInvocation invocation = readRemoteInvocation(exchange); - RemoteInvocationResult result = invokeAndCreateResult(invocation, getProxy()); - writeRemoteInvocationResult(exchange, result); - exchange.close(); - } - catch (ClassNotFoundException ex) { - exchange.sendResponseHeaders(500, -1); - logger.error("Class not found during deserialization", ex); - } - } - - /** - * Read a RemoteInvocation from the given HTTP request. - *

Delegates to {@link #readRemoteInvocation(HttpExchange, InputStream)} - * with the {@link HttpExchange#getRequestBody()} request's input stream}. - * @param exchange current HTTP request/response - * @return the RemoteInvocation object - * @throws java.io.IOException in case of I/O failure - * @throws ClassNotFoundException if thrown by deserialization - */ - protected RemoteInvocation readRemoteInvocation(HttpExchange exchange) - throws IOException, ClassNotFoundException { - - return readRemoteInvocation(exchange, exchange.getRequestBody()); - } - - /** - * Deserialize a RemoteInvocation object from the given InputStream. - *

Gives {@link #decorateInputStream} a chance to decorate the stream - * first (for example, for custom encryption or compression). Creates a - * {@link org.springframework.remoting.rmi.CodebaseAwareObjectInputStream} - * and calls {@link #doReadRemoteInvocation} to actually read the object. - *

Can be overridden for custom serialization of the invocation. - * @param exchange current HTTP request/response - * @param is the InputStream to read from - * @return the RemoteInvocation object - * @throws java.io.IOException in case of I/O failure - * @throws ClassNotFoundException if thrown during deserialization - */ - protected RemoteInvocation readRemoteInvocation(HttpExchange exchange, InputStream is) - throws IOException, ClassNotFoundException { - - ObjectInputStream ois = createObjectInputStream(decorateInputStream(exchange, is)); - return doReadRemoteInvocation(ois); - } - - /** - * Return the InputStream to use for reading remote invocations, - * potentially decorating the given original InputStream. - *

The default implementation returns the given stream as-is. - * Can be overridden, for example, for custom encryption or compression. - * @param exchange current HTTP request/response - * @param is the original InputStream - * @return the potentially decorated InputStream - * @throws java.io.IOException in case of I/O failure - */ - protected InputStream decorateInputStream(HttpExchange exchange, InputStream is) throws IOException { - return is; - } - - /** - * Write the given RemoteInvocationResult to the given HTTP response. - * @param exchange current HTTP request/response - * @param result the RemoteInvocationResult object - * @throws java.io.IOException in case of I/O failure - */ - protected void writeRemoteInvocationResult(HttpExchange exchange, RemoteInvocationResult result) - throws IOException { - - exchange.getResponseHeaders().set("Content-Type", getContentType()); - exchange.sendResponseHeaders(200, 0); - writeRemoteInvocationResult(exchange, result, exchange.getResponseBody()); - } - - /** - * Serialize the given RemoteInvocation to the given OutputStream. - *

The default implementation gives {@link #decorateOutputStream} a chance - * to decorate the stream first (for example, for custom encryption or compression). - * Creates an {@link java.io.ObjectOutputStream} for the final stream and calls - * {@link #doWriteRemoteInvocationResult} to actually write the object. - *

Can be overridden for custom serialization of the invocation. - * @param exchange current HTTP request/response - * @param result the RemoteInvocationResult object - * @param os the OutputStream to write to - * @throws java.io.IOException in case of I/O failure - * @see #decorateOutputStream - * @see #doWriteRemoteInvocationResult - */ - protected void writeRemoteInvocationResult( - HttpExchange exchange, RemoteInvocationResult result, OutputStream os) throws IOException { - - ObjectOutputStream oos = createObjectOutputStream(decorateOutputStream(exchange, os)); - doWriteRemoteInvocationResult(result, oos); - oos.flush(); - } - - /** - * Return the OutputStream to use for writing remote invocation results, - * potentially decorating the given original OutputStream. - *

The default implementation returns the given stream as-is. - * Can be overridden, for example, for custom encryption or compression. - * @param exchange current HTTP request/response - * @param os the original OutputStream - * @return the potentially decorated OutputStream - * @throws java.io.IOException in case of I/O failure - */ - protected OutputStream decorateOutputStream(HttpExchange exchange, OutputStream os) throws IOException { - return os; - } - -}