org.springframework.remoting.httpinvoker

Class HttpInvokerServiceExporter

java.lang.Object

org.springframework.remoting.support.RemotingSupport

org.springframework.remoting.support.RemoteExporter

org.springframework.remoting.support.RemoteInvocationBasedExporter

org.springframework.remoting.rmi.RemoteInvocationSerializingExporter

org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter

All Implemented Interfaces:

Aware, BeanClassLoaderAware, InitializingBean, HttpRequestHandler

public class HttpInvokerServiceExporter
extends RemoteInvocationSerializingExporter
implements HttpRequestHandler

Servlet-API-based HTTP request handler that exports the specified service bean as HTTP invoker service endpoint, accessible via an HTTP invoker proxy.

Deserializes remote invocation objects and serializes remote invocation result objects. Uses Java serialization just like RMI, but provides the same ease of setup as Caucho's HTTP-based Hessian protocol.

HTTP invoker is the recommended protocol for Java-to-Java remoting. It is more powerful and more extensible than Hessian, at the expense of being tied to Java. Nevertheless, it is as easy to set up as Hessian, which is its main advantage compared to RMI.

WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format (e.g. JSON) instead.

Since:

1.1

Author:

Juergen Hoeller

See Also:

HttpInvokerClientInterceptor, HttpInvokerProxyFactoryBean, RmiServiceExporter, HessianServiceExporter

Field Summary

Fields inherited from class org.springframework.remoting.rmi.RemoteInvocationSerializingExporter

CONTENT_TYPE_SERIALIZED_OBJECT

Fields inherited from class org.springframework.remoting.support.RemotingSupport

logger

Constructor Summary

Constructors

Constructor and Description
HttpInvokerServiceExporter()

Method Summary

Modifier and Type	Method and Description
protected java.io.InputStream	decorateInputStream(HttpServletRequest request, java.io.InputStream is) Return the InputStream to use for reading remote invocations, potentially decorating the given original InputStream.
protected java.io.OutputStream	decorateOutputStream(HttpServletRequest request, HttpServletResponse response, java.io.OutputStream os) Return the OutputStream to use for writing remote invocation results, potentially decorating the given original OutputStream.
void	handleRequest(HttpServletRequest request, HttpServletResponse response) Reads a remote invocation from the request, executes it, and writes the remote invocation result to the response.
protected RemoteInvocation	readRemoteInvocation(HttpServletRequest request) Read a RemoteInvocation from the given HTTP request.
protected RemoteInvocation	readRemoteInvocation(HttpServletRequest request, java.io.InputStream is) Deserialize a RemoteInvocation object from the given InputStream.
protected void	writeRemoteInvocationResult(HttpServletRequest request, HttpServletResponse response, RemoteInvocationResult result) Write the given RemoteInvocationResult to the given HTTP response.
protected void	writeRemoteInvocationResult(HttpServletRequest request, HttpServletResponse response, RemoteInvocationResult result, java.io.OutputStream os) Serialize the given RemoteInvocation to the given OutputStream.

Methods inherited from class org.springframework.remoting.rmi.RemoteInvocationSerializingExporter

afterPropertiesSet, createObjectInputStream, createObjectOutputStream, doReadRemoteInvocation, doWriteRemoteInvocationResult, getContentType, getProxy, isAcceptProxyClasses, prepare, setAcceptProxyClasses, setContentType

Methods inherited from class org.springframework.remoting.support.RemoteInvocationBasedExporter

getRemoteInvocationExecutor, invoke, invokeAndCreateResult, setRemoteInvocationExecutor

Methods inherited from class org.springframework.remoting.support.RemoteExporter

checkService, checkServiceInterface, getExporterName, getProxyForService, getService, getServiceInterface, setInterceptors, setRegisterTraceInterceptor, setService, setServiceInterface

Methods inherited from class org.springframework.remoting.support.RemotingSupport

getBeanClassLoader, overrideThreadContextClassLoader, resetThreadContextClassLoader, setBeanClassLoader

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HttpInvokerServiceExporter

public HttpInvokerServiceExporter()

Method Detail

handleRequest

public void handleRequest(HttpServletRequest request,
                          HttpServletResponse response)
                   throws ServletException,
                          java.io.IOException

Reads a remote invocation from the request, executes it, and writes the remote invocation result to the response.

Specified by:

handleRequest in interface HttpRequestHandler

Parameters:

request - current HTTP request

response - current HTTP response

Throws:

ServletException - in case of general errors

java.io.IOException - in case of I/O errors

See Also:

readRemoteInvocation(HttpServletRequest), RemoteInvocationBasedExporter.invokeAndCreateResult(org.springframework.remoting.support.RemoteInvocation, Object), writeRemoteInvocationResult(HttpServletRequest, HttpServletResponse, RemoteInvocationResult)

readRemoteInvocation

protected RemoteInvocation readRemoteInvocation(HttpServletRequest request)
                                         throws java.io.IOException,
                                                java.lang.ClassNotFoundException

Read a RemoteInvocation from the given HTTP request.

Delegates to readRemoteInvocation(HttpServletRequest, InputStream) with the servlet request's input stream.

Parameters:

request - current HTTP request

Returns:

the RemoteInvocation object

Throws:

java.io.IOException - in case of I/O failure

java.lang.ClassNotFoundException - if thrown by deserialization

readRemoteInvocation

protected RemoteInvocation readRemoteInvocation(HttpServletRequest request,
                                                java.io.InputStream is)
                                         throws java.io.IOException,
                                                java.lang.ClassNotFoundException

Deserialize a RemoteInvocation object from the given InputStream.

Gives decorateInputStream(javax.servlet.http.HttpServletRequest, java.io.InputStream) a chance to decorate the stream first (for example, for custom encryption or compression). Creates a CodebaseAwareObjectInputStream and calls RemoteInvocationSerializingExporter.doReadRemoteInvocation(java.io.ObjectInputStream) to actually read the object.

Can be overridden for custom serialization of the invocation.

Parameters:

request - current HTTP request

is - the InputStream to read from

Returns:

the RemoteInvocation object

Throws:

java.io.IOException - in case of I/O failure

java.lang.ClassNotFoundException - if thrown during deserialization

decorateInputStream

protected java.io.InputStream decorateInputStream(HttpServletRequest request,
                                                  java.io.InputStream is)
                                           throws java.io.IOException

Return the InputStream to use for reading remote invocations, potentially decorating the given original InputStream.

The default implementation returns the given stream as-is. Can be overridden, for example, for custom encryption or compression.

Parameters:

request - current HTTP request

is - the original InputStream

Returns:

the potentially decorated InputStream

Throws:

java.io.IOException - in case of I/O failure

writeRemoteInvocationResult

protected void writeRemoteInvocationResult(HttpServletRequest request,
                                           HttpServletResponse response,
                                           RemoteInvocationResult result)
                                    throws java.io.IOException

Write the given RemoteInvocationResult to the given HTTP response.

Parameters:

request - current HTTP request

response - current HTTP response

result - the RemoteInvocationResult object

Throws:

java.io.IOException - in case of I/O failure

writeRemoteInvocationResult

protected void writeRemoteInvocationResult(HttpServletRequest request,
                                           HttpServletResponse response,
                                           RemoteInvocationResult result,
                                           java.io.OutputStream os)
                                    throws java.io.IOException

Serialize the given RemoteInvocation to the given OutputStream.

The default implementation gives decorateOutputStream(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.io.OutputStream) a chance to decorate the stream first (for example, for custom encryption or compression). Creates an ObjectOutputStream for the final stream and calls RemoteInvocationSerializingExporter.doWriteRemoteInvocationResult(org.springframework.remoting.support.RemoteInvocationResult, java.io.ObjectOutputStream) to actually write the object.

Can be overridden for custom serialization of the invocation.

Parameters:

request - current HTTP request

response - current HTTP response

result - the RemoteInvocationResult object

os - the OutputStream to write to

Throws:

java.io.IOException - in case of I/O failure

See Also:

decorateOutputStream(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.io.OutputStream), RemoteInvocationSerializingExporter.doWriteRemoteInvocationResult(org.springframework.remoting.support.RemoteInvocationResult, java.io.ObjectOutputStream)

decorateOutputStream

protected java.io.OutputStream decorateOutputStream(HttpServletRequest request,
                                                    HttpServletResponse response,
                                                    java.io.OutputStream os)
                                             throws java.io.IOException

Return the OutputStream to use for writing remote invocation results, potentially decorating the given original OutputStream.

The default implementation returns the given stream as-is. Can be overridden, for example, for custom encryption or compression.

Parameters:

request - current HTTP request

response - current HTTP response

os - the original OutputStream

Returns:

the potentially decorated OutputStream

Throws:

java.io.IOException - in case of I/O failure