Class HttpInvokerServiceExporter

  • All Implemented Interfaces:
    Aware, BeanClassLoaderAware, InitializingBean, HttpRequestHandler

    public class HttpInvokerServiceExporter
    extends RemoteInvocationSerializingExporter
    implements HttpRequestHandler
    Servlet-API-based HTTP request handler that exports the specified service bean as HTTP invoker service endpoint, accessible via an HTTP invoker proxy.

    Deserializes remote invocation objects and serializes remote invocation result objects. Uses Java serialization just like RMI, but provides the same ease of setup as Caucho's HTTP-based Hessian protocol.

    HTTP invoker is the recommended protocol for Java-to-Java remoting. It is more powerful and more extensible than Hessian, at the expense of being tied to Java. Nevertheless, it is as easy to set up as Hessian, which is its main advantage compared to RMI.

    WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format (e.g. JSON) instead.

    Juergen Hoeller
    See Also:
    HttpInvokerClientInterceptor, HttpInvokerProxyFactoryBean, RmiServiceExporter, HessianServiceExporter