WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: + * Manipulated input streams could lead to unwanted code execution on the server + * during the deserialization step. As a consequence, do not expose HTTP invoker + * endpoints to untrusted clients but rather just between your own services. + * * @author Juergen Hoeller * @since 1.1 * @see #setServiceInterface diff --git a/spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java b/spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java index 654cc6ca8f..95a82846ba 100644 --- a/spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java +++ b/spring-web/src/main/java/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java @@ -48,6 +48,11 @@ import org.springframework.web.util.NestedServletException; * expense of being tied to Java. Nevertheless, it is as easy to set up as * Hessian and Burlap, which is its main advantage compared to RMI. * + *
WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: + * Manipulated input streams could lead to unwanted code execution on the server + * during the deserialization step. As a consequence, do not expose HTTP invoker + * endpoints to untrusted clients but rather just between your own services. + * * @author Juergen Hoeller * @since 1.1 * @see HttpInvokerClientInterceptor