/*
 * Copyright 2002-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.remoting.httpinvoker;

import org.springframework.aop.framework.ProxyFactory;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;

FactoryBean for HTTP invoker proxies. Exposes the proxied service for use as a bean reference, using the specified service interface.

The service URL must be an HTTP URL exposing an HTTP invoker service. Optionally, a codebase URL can be specified for on-demand dynamic code download from a remote location. For details, see HttpInvokerClientInterceptor docs.

Serializes remote invocation objects and deserializes remote invocation result objects. Uses Java serialization just like RMI, but provides the same ease of setup as Caucho's HTTP-based Hessian protocol.

HTTP invoker is the recommended protocol for Java-to-Java remoting. It is more powerful and more extensible than Hessian, at the expense of being tied to Java. Nevertheless, it is as easy to set up as Hessian, which is its main advantage compared to RMI.

WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format (e.g. JSON) instead.

Author:Juergen Hoeller
See Also:
Since:1.1
/** * {@link FactoryBean} for HTTP invoker proxies. Exposes the proxied service * for use as a bean reference, using the specified service interface. * * <p>The service URL must be an HTTP URL exposing an HTTP invoker service. * Optionally, a codebase URL can be specified for on-demand dynamic code download * from a remote location. For details, see HttpInvokerClientInterceptor docs. * * <p>Serializes remote invocation objects and deserializes remote invocation * result objects. Uses Java serialization just like RMI, but provides the * same ease of setup as Caucho's HTTP-based Hessian protocol. * * <p><b>HTTP invoker is the recommended protocol for Java-to-Java remoting.</b> * It is more powerful and more extensible than Hessian, at the expense of * being tied to Java. Nevertheless, it is as easy to set up as Hessian, * which is its main advantage compared to RMI. * * <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: * Manipulated input streams could lead to unwanted code execution on the server * during the deserialization step. As a consequence, do not expose HTTP invoker * endpoints to untrusted clients but rather just between your own services.</b> * In general, we strongly recommend any other message format (e.g. JSON) instead. * * @author Juergen Hoeller * @since 1.1 * @see #setServiceInterface * @see #setServiceUrl * @see #setCodebaseUrl * @see HttpInvokerClientInterceptor * @see HttpInvokerServiceExporter * @see org.springframework.remoting.rmi.RmiProxyFactoryBean * @see org.springframework.remoting.caucho.HessianProxyFactoryBean */
public class HttpInvokerProxyFactoryBean extends HttpInvokerClientInterceptor implements FactoryBean<Object> { @Nullable private Object serviceProxy; @Override public void afterPropertiesSet() { super.afterPropertiesSet(); Class<?> ifc = getServiceInterface(); Assert.notNull(ifc, "Property 'serviceInterface' is required"); this.serviceProxy = new ProxyFactory(ifc, this).getProxy(getBeanClassLoader()); } @Override @Nullable public Object getObject() { return this.serviceProxy; } @Override public Class<?> getObjectType() { return getServiceInterface(); } @Override public boolean isSingleton() { return true; } }