001/* 002 * Copyright 2002-2017 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.remoting.httpinvoker; 018 019import org.springframework.aop.framework.ProxyFactory; 020import org.springframework.beans.factory.FactoryBean; 021import org.springframework.lang.Nullable; 022import org.springframework.util.Assert; 023 024/** 025 * {@link FactoryBean} for HTTP invoker proxies. Exposes the proxied service 026 * for use as a bean reference, using the specified service interface. 027 * 028 * <p>The service URL must be an HTTP URL exposing an HTTP invoker service. 029 * Optionally, a codebase URL can be specified for on-demand dynamic code download 030 * from a remote location. For details, see HttpInvokerClientInterceptor docs. 031 * 032 * <p>Serializes remote invocation objects and deserializes remote invocation 033 * result objects. Uses Java serialization just like RMI, but provides the 034 * same ease of setup as Caucho's HTTP-based Hessian protocol. 035 * 036 * <p><b>HTTP invoker is the recommended protocol for Java-to-Java remoting.</b> 037 * It is more powerful and more extensible than Hessian, at the expense of 038 * being tied to Java. Nevertheless, it is as easy to set up as Hessian, 039 * which is its main advantage compared to RMI. 040 * 041 * <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: 042 * Manipulated input streams could lead to unwanted code execution on the server 043 * during the deserialization step. As a consequence, do not expose HTTP invoker 044 * endpoints to untrusted clients but rather just between your own services.</b> 045 * In general, we strongly recommend any other message format (e.g. JSON) instead. 046 * 047 * @author Juergen Hoeller 048 * @since 1.1 049 * @see #setServiceInterface 050 * @see #setServiceUrl 051 * @see #setCodebaseUrl 052 * @see HttpInvokerClientInterceptor 053 * @see HttpInvokerServiceExporter 054 * @see org.springframework.remoting.rmi.RmiProxyFactoryBean 055 * @see org.springframework.remoting.caucho.HessianProxyFactoryBean 056 */ 057public class HttpInvokerProxyFactoryBean extends HttpInvokerClientInterceptor implements FactoryBean<Object> { 058 059 @Nullable 060 private Object serviceProxy; 061 062 063 @Override 064 public void afterPropertiesSet() { 065 super.afterPropertiesSet(); 066 Class<?> ifc = getServiceInterface(); 067 Assert.notNull(ifc, "Property 'serviceInterface' is required"); 068 this.serviceProxy = new ProxyFactory(ifc, this).getProxy(getBeanClassLoader()); 069 } 070 071 072 @Override 073 @Nullable 074 public Object getObject() { 075 return this.serviceProxy; 076 } 077 078 @Override 079 public Class<?> getObjectType() { 080 return getServiceInterface(); 081 } 082 083 @Override 084 public boolean isSingleton() { 085 return true; 086 } 087 088}