4.3.9.RELEASE Spring Framework 672 Using Burlap We won’t discuss Burlap, the XML-based equivalent of Hessian, in detail here, since it is configured and set up in exactly the same way as the Hessian variant explained above. Just replace the word Hessian with Burlap and you’re all set to go. Applying HTTP basic authentication to a service exposed through Hessian or Burlap One of the advantages of Hessian and Burlap is that we can easily apply HTTP basic authentication, because both protocols are HTTP-based. Your normal HTTP server security mechanism can easily be applied through using the web.xml security features, for example. Usually, you don’t use per-user security credentials here, but rather shared credentials defined at the Hessian BurlapProxyFactoryBean level similar to a JDBC DataSource . bean class = org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping property name = interceptors ref = authorizationInterceptor bean bean id = authorizationInterceptor class = org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor property name = authorizedRoles value = administrator,operator bean This is an example where we explicitly mention the BeanNameUrlHandlerMapping and set an interceptor allowing only administrators and operators to call the beans mentioned in this application context. Note Of course, this example doesn’t show a flexible kind of security infrastructure. For more options as far as security is concerned, have a look at the Spring Security project at http:projects.spring.io spring-security .

28.4 Exposing services using HTTP invokers

As opposed to Burlap and Hessian, which are both lightweight protocols using their own slim serialization mechanisms, Spring HTTP invokers use the standard Java serialization mechanism to expose services through HTTP. This has a huge advantage if your arguments and return types are complex types that cannot be serialized using the serialization mechanisms Hessian and Burlap use refer to the next section for more considerations when choosing a remoting technology. Under the hood, Spring uses either the standard facilities provided by the JDK or Apache HttpComponents to perform HTTP calls. Use the latter if you need more advanced and easier-to-use functionality. Refer to hc.apache.orghttpcomponents-client-ga for more information. Warning Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format e.g. JSON instead. 4.3.9.RELEASE Spring Framework 673 If you are concerned about security vulnerabilities due to Java serialization, consider the general- purpose serialization filter mechanism at the core JVM level, originally developed for JDK 9 but backported to JDK 8, 7 and 6 in the meantime: https:blogs.oracle.comjava-platform-groupentry incoming_filter_serialization_data_a http:openjdk.java.netjeps290 Exposing the service object Setting up the HTTP invoker infrastructure for a service object resembles closely the way you would do the same using Hessian or Burlap. Just as Hessian support provides the HessianServiceExporter , Spring’s HttpInvoker support provides the org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter . To expose the AccountService mentioned above within a Spring Web MVC DispatcherServlet , the following configuration needs to be in place in the dispatcher’s application context: bean name = AccountService class = org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter property name = service ref = accountService property name = serviceInterface value = example.AccountService bean Such an exporter definition will be exposed through the `DispatcherServlet’s standard mapping facilities, as explained in the section on Hessian. Alternatively, create an HttpInvokerServiceExporter in your root application context e.g. in WEB-INFapplicationContext.xml : bean name = accountExporter class = org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter property name = service ref = accountService property name = serviceInterface value = example.AccountService bean In addition, define a corresponding servlet for this exporter in web.xml , with the servlet name matching the bean name of the target exporter: servlet servlet-name accountExporter servlet-name servlet-class org.springframework.web.context.support.HttpRequestHandlerServlet servlet-class servlet servlet-mapping servlet-name accountExporter servlet-name url-pattern remotingAccountService url-pattern servlet-mapping If you are running outside of a servlet container and are using Oracle’s Java 6, then you can use the built- in HTTP server implementation. You can configure the SimpleHttpServerFactoryBean together with a SimpleHttpInvokerServiceExporter as is shown in this example: 4.3.9.RELEASE Spring Framework 674 bean name = accountExporter class = org.springframework.remoting.httpinvoker.SimpleHttpInvokerServiceExporter property name = service ref = accountService property name = serviceInterface value = example.AccountService bean bean id = httpServer class = org.springframework.remoting.support.SimpleHttpServerFactoryBean property name = contexts util:map entry key = remotingAccountService value-ref = accountExporter util:map property property name = port value = 8080 bean Linking in the service at the client Again, linking in the service from the client much resembles the way you would do it when using Hessian or Burlap. Using a proxy, Spring will be able to translate your calls to HTTP POST requests to the URL pointing to the exported service. bean id = httpInvokerProxy class = org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean property name = serviceUrl value = http:remotehost:8080remotingAccountService property name = serviceInterface value = example.AccountService bean As mentioned before, you can choose what HTTP client you want to use. By default, the HttpInvokerProxy uses the JDK’s HTTP functionality, but you can also use the Apache HttpComponents client by setting the httpInvokerRequestExecutor property: property name = httpInvokerRequestExecutor bean class = org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor property

28.5 Web services