Class AbstractHttpWebServiceMessageSender

java.lang.Object
org.springframework.ws.transport.AbstractWebServiceMessageSender<HttpDestinationDescriptor>
org.springframework.ws.transport.http.AbstractHttpWebServiceMessageSender
All Implemented Interfaces:
WebServiceMessageSender
Direct Known Subclasses:
AbstractHttpComponents5MessageSender, ClientHttpRequestMessageSender, HttpComponentsMessageSender, HttpUrlConnectionMessageSender, JdkHttpClientMessageSender
public abstract class AbstractHttpWebServiceMessageSender extends AbstractWebServiceMessageSender<HttpDestinationDescriptor>
Abstract base class for WebServiceMessageSender implementations that use HTTP.

For WebServiceMessageSender.UriSource.APPLICATION, default checks accept any http: or https: URI. For WebServiceMessageSender.UriSource.REMOTE, default checks require a host; reject localhost and *.localhost; and when the host is an IP literal, reject loopback, link-local, any-local addresses without DNS lookups, and RFC 1918-style private IPv4 literals. Non-literal host names are not resolved in the defaults, so private network access through DNS is not rejected unless you add a WebServiceMessageSender.DestinationPolicy, for example, using HttpDestinationDescriptor.hostAddress(boolean) with DNS for stricter checks or host allowlists. Private IPv4 literals can be enabled by setting allowSiteLocalIpv4 to true.

Since:
1.0.0

  • Field Details

    • logger

      protected final org.apache.commons.logging.Log logger
      Logger available to subclasses.

  • Constructor Details

    • AbstractHttpWebServiceMessageSender

      protected AbstractHttpWebServiceMessageSender(Predicate<URI> supportedUriFilter)
      Create an instance with the URI filter to apply to accept a given URI.
      Parameters:
      supportedUriFilter - the predicate to apply to a URI to test if it is supported by the instance
      Since:
      3.1.9

    • AbstractHttpWebServiceMessageSender

      protected AbstractHttpWebServiceMessageSender()
      Create an instance that accepts http: and https: URIs.

  • Method Details

    • isAcceptGzipEncoding

      public boolean isAcceptGzipEncoding()
      Return whether to accept GZIP encoding, that is, whether to send the HTTP Accept-Encoding header with gzip as value.

    • setAcceptGzipEncoding

      public void setAcceptGzipEncoding(boolean acceptGzipEncoding)
      Set whether to accept GZIP encoding, that is, whether to send the HTTP Accept-Encoding header with gzip as value.

      Default is true. Turn this flag off if you do not want GZIP response compression even if enabled on the HTTP server.

    • setAllowSiteLocalIpv4

      public void setAllowSiteLocalIpv4(boolean allowSiteLocalIpv4)
      Set whether to allow site-local IPv4 addresses for remote destinations.

      Default is false. When false, remote default checks reject private (RFC 1918) IPv4 literals like 10.0.0.1. Set to true to allow out-of-band replies to internal network destinations unless blocked by another policy.

      Since:
      3.1.9

    • setAllowDnsResolution

      public void setAllowDnsResolution(boolean allowDnsResolution)
      Set whether to allow DNS resolution for remote destinations.

      Default is false to avoid the performance penalty of resolving every remote destination. However, this means that malicious hostnames resolving to internal IPs (DNS rebinding or simply internal DNS records) are not blocked by the default IP-level checks. To secure out-of-band replies without the DNS resolution penalty, it is strongly recommended to configure a strict allowlist of known hosts using a WebServiceMessageSender.DestinationPolicy.

      Set to true to resolve host names and apply default checks to the resolved IPs, mitigating SSRF attacks using DNS at the cost of additional latency.

      Since:
      3.1.9

    • createDescriptor

      protected HttpDestinationDescriptor createDescriptor(URI uri, WebServiceMessageSender.UriSource uriSource)
      Description copied from class: AbstractWebServiceMessageSender
      Create a WebServiceMessageSender.DestinationDescriptor for the given uri and uriSource.
      Specified by:
      createDescriptor in class AbstractWebServiceMessageSender<HttpDestinationDescriptor>
      Parameters:
      uri - the URI to check
      uriSource - the source of the URI
      Returns:
      a suitable descriptor

    • defaultChecks

      protected Predicate<HttpDestinationDescriptor> defaultChecks(WebServiceMessageSender.UriSource uriSource)
      Description copied from class: AbstractWebServiceMessageSender
      Return the default checks to apply for the given WebServiceMessageSender.UriSource.
      Specified by:
      defaultChecks in class AbstractWebServiceMessageSender<HttpDestinationDescriptor>
      Returns:
      the default checks to apply

    • remoteDefaultChecks

      protected boolean remoteDefaultChecks(HttpDestinationDescriptor descriptor)
      Apply default checks for WebServiceMessageSender.UriSource.REMOTE URIs.
      Parameters:
      descriptor - the descriptor
      Returns:
      whether the default checks accept the URI of the given descriptor