MethodInterceptor for accessing an
HTTP invoker service. The service URL must be an HTTP URL exposing
an HTTP invoker service.
Serializes remote invocation objects and deserializes remote invocation
result objects. Uses Java serialization just like RMI, but provides the
same ease of setup as Caucho's HTTP-based Hessian protocol.
HTTP invoker is a very extensible and customizable protocol.
It supports the RemoteInvocationFactory mechanism, like RMI invoker,
allowing to include additional invocation attributes (for example,
a security context). Furthermore, it allows to customize request
execution via the HttpInvokerRequestExecutor strategy.
Can use the JDK's RMIClassLoader to load classes
from a given codebase, performing on-demand dynamic
code download from a remote location. The codebase can consist of multiple
URLs, separated by spaces. Note that RMIClassLoader requires a SecurityManager
to be set, analogous to when using dynamic class download with standard RMI!
(See the RMI documentation for details.)
WARNING: Be aware of vulnerabilities due to unsafe Java deserialization:
Manipulated input streams could lead to unwanted code execution on the server
during the deserialization step. As a consequence, do not expose HTTP invoker
endpoints to untrusted clients but rather just between your own services.
In general, we strongly recommend any other message format (e.g. JSON) instead.
public void setCodebaseUrl(@Nullable
Set the codebase URL to download classes from if not found locally.
Can consists of multiple URLs, separated by spaces.
Follows RMI's codebase conventions for dynamic class download.
In contrast to RMI, where the server determines the URL for class download
(via the "java.rmi.server.codebase" system property), it's the client
that determines the codebase URL here. The server will usually be the
same as for the service URL, just pointing to a different path there.
Can be overridden in subclasses to pass a different configuration object
to the executor. Alternatively, add further configuration properties in a
subclass of this accessor: By default, the accessor passed itself as
configuration object to the executor.
invocation - the RemoteInvocation to execute
the RemoteInvocationResult object
java.io.IOException - if thrown by I/O operations
java.lang.ClassNotFoundException - if thrown during deserialization