diff --git a/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java b/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java index 9c897b8a7641..50f786d72747 100644 --- a/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java +++ b/spring-context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java @@ -48,7 +48,6 @@ * @author Juergen Hoeller * @since 1.1.3 * @see java.rmi.server.RMIClassLoader - * @see RemoteInvocationSerializingExporter#createObjectInputStream * @see org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor#setCodebaseUrl * @deprecated as of 5.3 (phasing out serialization-based remoting) */ diff --git a/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java b/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java deleted file mode 100644 index 99e81a4e27cf..000000000000 --- a/spring-context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.remoting.rmi; - -import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; -import java.io.OutputStream; -import java.rmi.RemoteException; - -import org.springframework.beans.factory.InitializingBean; -import org.springframework.remoting.support.RemoteInvocation; -import org.springframework.remoting.support.RemoteInvocationBasedExporter; -import org.springframework.remoting.support.RemoteInvocationResult; -import org.springframework.util.Assert; -import org.springframework.util.ClassUtils; - -/** - * Abstract base class for remote service exporters that explicitly deserialize - * {@link org.springframework.remoting.support.RemoteInvocation} objects and serialize - * {@link org.springframework.remoting.support.RemoteInvocationResult} objects, - * for example Spring's HTTP invoker. - * - *
Provides template methods for {@code ObjectInputStream} and - * {@code ObjectOutputStream} handling. - * - * @author Juergen Hoeller - * @since 2.5.1 - * @see java.io.ObjectInputStream - * @see java.io.ObjectOutputStream - * @see #doReadRemoteInvocation - * @see #doWriteRemoteInvocationResult - * @deprecated as of 5.3 (phasing out serialization-based remoting) - */ -@Deprecated -public abstract class RemoteInvocationSerializingExporter extends RemoteInvocationBasedExporter - implements InitializingBean { - - /** - * Default content type: "application/x-java-serialized-object". - */ - public static final String CONTENT_TYPE_SERIALIZED_OBJECT = "application/x-java-serialized-object"; - - - private String contentType = CONTENT_TYPE_SERIALIZED_OBJECT; - - private boolean acceptProxyClasses = true; - - private Object proxy; - - - /** - * Specify the content type to use for sending remote invocation responses. - *
Default is "application/x-java-serialized-object". - */ - public void setContentType(String contentType) { - Assert.notNull(contentType, "'contentType' must not be null"); - this.contentType = contentType; - } - - /** - * Return the content type to use for sending remote invocation responses. - */ - public String getContentType() { - return this.contentType; - } - - /** - * Set whether to accept deserialization of proxy classes. - *
Default is "true". May be deactivated as a security measure. - */ - public void setAcceptProxyClasses(boolean acceptProxyClasses) { - this.acceptProxyClasses = acceptProxyClasses; - } - - /** - * Return whether to accept deserialization of proxy classes. - */ - public boolean isAcceptProxyClasses() { - return this.acceptProxyClasses; - } - - - @Override - public void afterPropertiesSet() { - prepare(); - } - - /** - * Initialize this service exporter. - */ - public void prepare() { - this.proxy = getProxyForService(); - } - - protected final Object getProxy() { - if (this.proxy == null) { - throw new IllegalStateException(ClassUtils.getShortName(getClass()) + " has not been initialized"); - } - return this.proxy; - } - - - /** - * Create an ObjectInputStream for the given InputStream. - *
The default implementation creates a Spring {@link CodebaseAwareObjectInputStream}. - * @param is the InputStream to read from - * @return the new ObjectInputStream instance to use - * @throws java.io.IOException if creation of the ObjectInputStream failed - */ - protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException { - return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses()); - } - - /** - * Perform the actual reading of an invocation result object from the - * given ObjectInputStream. - *
The default implementation simply calls - * {@link java.io.ObjectInputStream#readObject()}. - * Can be overridden for deserialization of a custom wrapper object rather - * than the plain invocation, for example an encryption-aware holder. - * @param ois the ObjectInputStream to read from - * @return the RemoteInvocationResult object - * @throws java.io.IOException in case of I/O failure - * @throws ClassNotFoundException if case of a transferred class not - * being found in the local ClassLoader - */ - protected RemoteInvocation doReadRemoteInvocation(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - - Object obj = ois.readObject(); - if (!(obj instanceof RemoteInvocation)) { - throw new RemoteException("Deserialized object needs to be assignable to type [" + - RemoteInvocation.class.getName() + "]: " + ClassUtils.getDescriptiveType(obj)); - } - return (RemoteInvocation) obj; - } - - /** - * Create an ObjectOutputStream for the given OutputStream. - *
The default implementation creates a plain - * {@link java.io.ObjectOutputStream}. - * @param os the OutputStream to write to - * @return the new ObjectOutputStream instance to use - * @throws java.io.IOException if creation of the ObjectOutputStream failed - */ - protected ObjectOutputStream createObjectOutputStream(OutputStream os) throws IOException { - return new ObjectOutputStream(os); - } - - /** - * Perform the actual writing of the given invocation result object - * to the given ObjectOutputStream. - *
The default implementation simply calls
- * {@link java.io.ObjectOutputStream#writeObject}.
- * Can be overridden for serialization of a custom wrapper object rather
- * than the plain invocation, for example an encryption-aware holder.
- * @param result the RemoteInvocationResult object
- * @param oos the ObjectOutputStream to write to
- * @throws java.io.IOException if thrown by I/O methods
- */
- protected void doWriteRemoteInvocationResult(RemoteInvocationResult result, ObjectOutputStream oos)
- throws IOException {
-
- oos.writeObject(result);
- }
-
-}
diff --git a/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java b/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java
index f72fb9fdba8e..aa9a9f235150 100644
--- a/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java
+++ b/spring-context/src/main/java/org/springframework/remoting/support/SimpleHttpServerFactoryBean.java
@@ -121,7 +121,6 @@ public void setExecutor(Executor executor) {
* for specific context paths.
* @param contexts a Map with context paths as keys and HttpHandler
* objects as values
- * @see org.springframework.remoting.httpinvoker.SimpleHttpInvokerServiceExporter
* @see org.springframework.remoting.caucho.SimpleHessianServiceExporter
*/
public void setContexts(Map Deserializes remote invocation objects and serializes remote invocation
- * result objects. Uses Java serialization just like RMI, but provides the
- * same ease of setup as Caucho's HTTP-based Hessian protocol.
- *
- * HTTP invoker is the recommended protocol for Java-to-Java remoting.
- * It is more powerful and more extensible than Hessian, at the expense of
- * being tied to Java. Nevertheless, it is as easy to set up as Hessian,
- * which is its main advantage compared to RMI.
- *
- * WARNING: Be aware of vulnerabilities due to unsafe Java deserialization:
- * Manipulated input streams could lead to unwanted code execution on the server
- * during the deserialization step. As a consequence, do not expose HTTP invoker
- * endpoints to untrusted clients but rather just between your own services.
- * In general, we strongly recommend any other message format (e.g. JSON) instead.
- *
- * @author Juergen Hoeller
- * @since 2.5.1
- * @see org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor
- * @see org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean
- */
-@Deprecated
-@org.springframework.lang.UsesSunHttpServer
-public class SimpleHttpInvokerServiceExporter extends org.springframework.remoting.rmi.RemoteInvocationSerializingExporter implements HttpHandler {
-
- /**
- * Reads a remote invocation from the request, executes it,
- * and writes the remote invocation result to the response.
- * @see #readRemoteInvocation(HttpExchange)
- * @see #invokeAndCreateResult(RemoteInvocation, Object)
- * @see #writeRemoteInvocationResult(HttpExchange, RemoteInvocationResult)
- */
- @Override
- public void handle(HttpExchange exchange) throws IOException {
- try {
- RemoteInvocation invocation = readRemoteInvocation(exchange);
- RemoteInvocationResult result = invokeAndCreateResult(invocation, getProxy());
- writeRemoteInvocationResult(exchange, result);
- exchange.close();
- }
- catch (ClassNotFoundException ex) {
- exchange.sendResponseHeaders(500, -1);
- logger.error("Class not found during deserialization", ex);
- }
- }
-
- /**
- * Read a RemoteInvocation from the given HTTP request.
- * Delegates to {@link #readRemoteInvocation(HttpExchange, InputStream)}
- * with the {@link HttpExchange#getRequestBody()} request's input stream}.
- * @param exchange current HTTP request/response
- * @return the RemoteInvocation object
- * @throws java.io.IOException in case of I/O failure
- * @throws ClassNotFoundException if thrown by deserialization
- */
- protected RemoteInvocation readRemoteInvocation(HttpExchange exchange)
- throws IOException, ClassNotFoundException {
-
- return readRemoteInvocation(exchange, exchange.getRequestBody());
- }
-
- /**
- * Deserialize a RemoteInvocation object from the given InputStream.
- * Gives {@link #decorateInputStream} a chance to decorate the stream
- * first (for example, for custom encryption or compression). Creates a
- * {@link org.springframework.remoting.rmi.CodebaseAwareObjectInputStream}
- * and calls {@link #doReadRemoteInvocation} to actually read the object.
- * Can be overridden for custom serialization of the invocation.
- * @param exchange current HTTP request/response
- * @param is the InputStream to read from
- * @return the RemoteInvocation object
- * @throws java.io.IOException in case of I/O failure
- * @throws ClassNotFoundException if thrown during deserialization
- */
- protected RemoteInvocation readRemoteInvocation(HttpExchange exchange, InputStream is)
- throws IOException, ClassNotFoundException {
-
- ObjectInputStream ois = createObjectInputStream(decorateInputStream(exchange, is));
- return doReadRemoteInvocation(ois);
- }
-
- /**
- * Return the InputStream to use for reading remote invocations,
- * potentially decorating the given original InputStream.
- * The default implementation returns the given stream as-is.
- * Can be overridden, for example, for custom encryption or compression.
- * @param exchange current HTTP request/response
- * @param is the original InputStream
- * @return the potentially decorated InputStream
- * @throws java.io.IOException in case of I/O failure
- */
- protected InputStream decorateInputStream(HttpExchange exchange, InputStream is) throws IOException {
- return is;
- }
-
- /**
- * Write the given RemoteInvocationResult to the given HTTP response.
- * @param exchange current HTTP request/response
- * @param result the RemoteInvocationResult object
- * @throws java.io.IOException in case of I/O failure
- */
- protected void writeRemoteInvocationResult(HttpExchange exchange, RemoteInvocationResult result)
- throws IOException {
-
- exchange.getResponseHeaders().set("Content-Type", getContentType());
- exchange.sendResponseHeaders(200, 0);
- writeRemoteInvocationResult(exchange, result, exchange.getResponseBody());
- }
-
- /**
- * Serialize the given RemoteInvocation to the given OutputStream.
- * The default implementation gives {@link #decorateOutputStream} a chance
- * to decorate the stream first (for example, for custom encryption or compression).
- * Creates an {@link java.io.ObjectOutputStream} for the final stream and calls
- * {@link #doWriteRemoteInvocationResult} to actually write the object.
- * Can be overridden for custom serialization of the invocation.
- * @param exchange current HTTP request/response
- * @param result the RemoteInvocationResult object
- * @param os the OutputStream to write to
- * @throws java.io.IOException in case of I/O failure
- * @see #decorateOutputStream
- * @see #doWriteRemoteInvocationResult
- */
- protected void writeRemoteInvocationResult(
- HttpExchange exchange, RemoteInvocationResult result, OutputStream os) throws IOException {
-
- ObjectOutputStream oos = createObjectOutputStream(decorateOutputStream(exchange, os));
- doWriteRemoteInvocationResult(result, oos);
- oos.flush();
- }
-
- /**
- * Return the OutputStream to use for writing remote invocation results,
- * potentially decorating the given original OutputStream.
- * The default implementation returns the given stream as-is.
- * Can be overridden, for example, for custom encryption or compression.
- * @param exchange current HTTP request/response
- * @param os the original OutputStream
- * @return the potentially decorated OutputStream
- * @throws java.io.IOException in case of I/O failure
- */
- protected OutputStream decorateOutputStream(HttpExchange exchange, OutputStream os) throws IOException {
- return os;
- }
-
-}