public class HttpInvokerServiceExporter extends RemoteInvocationSerializingExporter implements HttpRequestHandler
Deserializes remote invocation objects and serializes remote invocation result objects. Uses Java serialization just like RMI, but provides the same ease of setup as Caucho's HTTP-based Hessian protocol.
HTTP invoker is the recommended protocol for Java-to-Java remoting. It is more powerful and more extensible than Hessian, at the expense of being tied to Java. Nevertheless, it is as easy to set up as Hessian, which is its main advantage compared to RMI.
WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format (e.g. JSON) instead.
HttpInvokerClientInterceptor
,
HttpInvokerProxyFactoryBean
,
RmiServiceExporter
,
HessianServiceExporter
CONTENT_TYPE_SERIALIZED_OBJECT
logger
Constructor and Description |
---|
HttpInvokerServiceExporter() |
Modifier and Type | Method and Description |
---|---|
protected InputStream |
decorateInputStream(HttpServletRequest request,
InputStream is)
Return the InputStream to use for reading remote invocations,
potentially decorating the given original InputStream.
|
protected OutputStream |
decorateOutputStream(HttpServletRequest request,
HttpServletResponse response,
OutputStream os)
Return the OutputStream to use for writing remote invocation results,
potentially decorating the given original OutputStream.
|
void |
handleRequest(HttpServletRequest request,
HttpServletResponse response)
Reads a remote invocation from the request, executes it,
and writes the remote invocation result to the response.
|
protected RemoteInvocation |
readRemoteInvocation(HttpServletRequest request)
Read a RemoteInvocation from the given HTTP request.
|
protected RemoteInvocation |
readRemoteInvocation(HttpServletRequest request,
InputStream is)
Deserialize a RemoteInvocation object from the given InputStream.
|
protected void |
writeRemoteInvocationResult(HttpServletRequest request,
HttpServletResponse response,
RemoteInvocationResult result)
Write the given RemoteInvocationResult to the given HTTP response.
|
protected void |
writeRemoteInvocationResult(HttpServletRequest request,
HttpServletResponse response,
RemoteInvocationResult result,
OutputStream os)
Serialize the given RemoteInvocation to the given OutputStream.
|
afterPropertiesSet, createObjectInputStream, createObjectOutputStream, doReadRemoteInvocation, doWriteRemoteInvocationResult, getContentType, getProxy, isAcceptProxyClasses, prepare, setAcceptProxyClasses, setContentType
getRemoteInvocationExecutor, invoke, invokeAndCreateResult, setRemoteInvocationExecutor
checkService, checkServiceInterface, getExporterName, getProxyForService, getService, getServiceInterface, setInterceptors, setRegisterTraceInterceptor, setService, setServiceInterface
getBeanClassLoader, overrideThreadContextClassLoader, resetThreadContextClassLoader, setBeanClassLoader
public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
handleRequest
in interface HttpRequestHandler
request
- current HTTP requestresponse
- current HTTP responseServletException
- in case of general errorsIOException
- in case of I/O errorsreadRemoteInvocation(HttpServletRequest)
,
RemoteInvocationBasedExporter.invokeAndCreateResult(org.springframework.remoting.support.RemoteInvocation, Object)
,
writeRemoteInvocationResult(HttpServletRequest, HttpServletResponse, RemoteInvocationResult)
protected RemoteInvocation readRemoteInvocation(HttpServletRequest request) throws IOException, ClassNotFoundException
Delegates to readRemoteInvocation(HttpServletRequest, InputStream)
with
the servlet request's input stream
.
request
- current HTTP requestIOException
- in case of I/O failureClassNotFoundException
- if thrown by deserializationprotected RemoteInvocation readRemoteInvocation(HttpServletRequest request, InputStream is) throws IOException, ClassNotFoundException
Gives decorateInputStream(javax.servlet.http.HttpServletRequest, java.io.InputStream)
a chance to decorate the stream
first (for example, for custom encryption or compression). Creates a
CodebaseAwareObjectInputStream
and calls RemoteInvocationSerializingExporter.doReadRemoteInvocation(java.io.ObjectInputStream)
to actually read the object.
Can be overridden for custom serialization of the invocation.
request
- current HTTP requestis
- the InputStream to read fromIOException
- in case of I/O failureClassNotFoundException
- if thrown during deserializationprotected InputStream decorateInputStream(HttpServletRequest request, InputStream is) throws IOException
The default implementation returns the given stream as-is. Can be overridden, for example, for custom encryption or compression.
request
- current HTTP requestis
- the original InputStreamIOException
- in case of I/O failureprotected void writeRemoteInvocationResult(HttpServletRequest request, HttpServletResponse response, RemoteInvocationResult result) throws IOException
request
- current HTTP requestresponse
- current HTTP responseresult
- the RemoteInvocationResult objectIOException
- in case of I/O failureprotected void writeRemoteInvocationResult(HttpServletRequest request, HttpServletResponse response, RemoteInvocationResult result, OutputStream os) throws IOException
The default implementation gives decorateOutputStream(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.io.OutputStream)
a chance
to decorate the stream first (for example, for custom encryption or compression).
Creates an ObjectOutputStream
for the final stream and calls
RemoteInvocationSerializingExporter.doWriteRemoteInvocationResult(org.springframework.remoting.support.RemoteInvocationResult, java.io.ObjectOutputStream)
to actually write the object.
Can be overridden for custom serialization of the invocation.
request
- current HTTP requestresponse
- current HTTP responseresult
- the RemoteInvocationResult objectos
- the OutputStream to write toIOException
- in case of I/O failuredecorateOutputStream(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.io.OutputStream)
,
RemoteInvocationSerializingExporter.doWriteRemoteInvocationResult(org.springframework.remoting.support.RemoteInvocationResult, java.io.ObjectOutputStream)
protected OutputStream decorateOutputStream(HttpServletRequest request, HttpServletResponse response, OutputStream os) throws IOException
The default implementation returns the given stream as-is. Can be overridden, for example, for custom encryption or compression.
request
- current HTTP requestresponse
- current HTTP responseos
- the original OutputStreamIOException
- in case of I/O failure