Hessian Web Service Protocol with Spring Remoting

Hessian Web Service Protocol with Spring Remoting is a great way to simplify web service communication.

Hessian is a binary web service protocol that can be used with Spring Remoting, which is a part of the Spring Framework.

This combination allows for efficient communication between client and server, reducing the overhead of XML-based protocols like SOAP.

Spring Remoting provides a simple way to integrate Hessian with other Spring components, making it easy to build robust web services.

If this caught your attention, see: Web Services Protocol Stack

Burlap is an XML-based protocol for remoting, developed by Caucho, the same company behind Hessian. It's similar to Hessian, but instead of using binary data, Burlap uses XML.

Burlap needs to be hosted over HTTP, just like Hessian, and has a BurlapServiceExporter and a BurlapProxyFactoryBean class to expose and consume remote services.

Burlap's support has been deprecated since Spring 4.0, meaning it's no longer actively developed or recommended for new projects.

Additional reading: Xml Conversion Services

Burlap is an XML-based protocol for remoting developed by Caucho. It's similar to Hessian, but instead of using binary data, Burlap uses XML.

Burlap needs to be hosted over HTTP and can be easily applied with HTTP basic authentication. This means you can use your normal HTTP server security mechanism to secure your Burlap services.

To expose and consume remote services using Burlap, you'll need to use the BurlapServiceExporter and BurlapProxyFactoryBean classes. These classes are part of the Spring framework and make it easy to work with Burlap.

Since Burlap is not being actively developed, its support has been deprecated since Spring 4.0. This means you may want to consider using Hessian instead, which is also a lightweight binary HTTP-based protocol provided by Caucho.

Here are the main ways to use Burlap for remote HTTP services:

Keep in mind that while Burlap is still supported in older versions of Spring, it's not the recommended choice for new projects.

To configure DispatcherServlet, create a new servlet in your application, specifying its name in web.xml. This will allow you to use Spring's DispatcherServlet principles to wire up the servlet.

You'll need to create an application context named remoting-servlet.xml in the WEB-INF directory. This context will be used to configure the servlet.

In the application context, you can explicitly mention the BeanNameUrlHandlerMapping and set an interceptor. This will allow you to control access to the beans mentioned in the context, as seen in the example where only administrators and operators are allowed to call the beans.

To expose your services, you'll need to create a service exporter, similar to RMI. This exporter will be used to configure the Hessian server-side.

Additional reading: Xml in Web Services

To wire up a servlet exposing your services, you'll need to create a new servlet in your application, similar to the example in the DispatcherServlet section, where a servlet is created in web.xml.

You'll also need to create an application context named remoting-servlet.xml in the WEB-INF directory, as mentioned in the DispatcherServlet section, which will be used to configure the servlet.

To specify the beans that can be accessed through the servlet, you can use the BeanNameUrlHandlerMapping, as shown in the DispatcherServlet section, where it's explicitly mentioned and an interceptor is set to allow only administrators and operators to call the beans.

The service exporter, similar to RMI, can be configured by changing the hessian related class, as shown in the Hessian server-side configuration section.

You can expose your beans by using the HessianServiceExporter, which is a key component in the remoting process.

To do this, you'll need to create a new application context called remoting-servlet.xml, where you'll define the HessianServiceExporter.

The exporter will then be used to export your services, making them available to clients.

You can specify the URL where the service will be exported by using the BeanNameUrlHandlerMapping, which will automatically map the service to the URL based on its bean name.

For example, if you have a service called AccountService, it will be exported at the URL http://HOST:8080/remoting/AccountService.

A fresh viewpoint: When Will Mgm Be Back Online

Client Service Linkage is a crucial part of Hessian remoting.

To link in a service on the client, you can use the HessianProxyFactoryBean, which is similar to the RMI example. This allows you to create a separate bean factory or application context and define the necessary beans.

The HessianProxyFactoryBean enables you to link in the service by creating a separate context and defining the beans, such as the SimpleObject using the AccountService to manage accounts. This is a key principle in Hessian remoting.

In the client side, you need to configure Hessian based proxy bean factory, which is a requirement for Hessian remoting. This is different from RMI remoting, where you need to use Hessian related service exporter on the server side.

Here's an interesting read: Gemini 1.5 Pro 2m Context Window Google Cloud Platform

You can easily apply HTTP basic authentication to a service exposed through Hessian or Burlap because both protocols are HTTP-based.

This means you can leverage your normal HTTP server security mechanism, such as using web.xml security features.

Both Hessian and Burlap typically don't use per-user security credentials, but rather shared credentials defined at the Hessian/BurlapProxyFactoryBean level.

This is similar to how a JDBC DataSource is defined, making it a convenient and straightforward approach to security.

RMI has its drawbacks, including not being able to access objects through HTTP protocol unless you're tunneling the RMI traffic.

Each technology has its own set of limitations, so it's essential to consider your needs and the services you're exposing when making a choice.

RMI-JRMP is tied to Java clients, making it a Java-to-Java remoting solution.

Spring's HTTP invoker is a good choice if you need HTTP-based remoting and rely on Java serialization.

Hessian and Burlap can provide significant value in a heterogeneous environment, allowing for non-Java clients.

However, non-Java support is still limited, and known problems include the serialization of Hibernate objects with lazily initializing collections.

Consider using RMI or HTTP invokers instead of Hessian if you have such a data model.

JMS can be useful for providing clusters of services and load balancing, but by default, Java serialization is used.

EJB has an advantage over RMI in supporting standard role-based authentication and authorization and remote transaction propagation.

Related reading: Java Google Cloud Storage

When recording Hessian requests, you'll need to load the Java classes for the objects exchanged.

You'll also need to load the client interfaces for the called services. For more information, see Hessian.

Recording a Hessian request is a straightforward process.

To begin with, the binary data exchanged between the client and server passes through the recording proxy. This proxy is where the Hessian module comes into play, analyzing and decoding the requests as they travel through.

The Hessian module translates these requests into XML, which are then inserted into the project. Not all requests are recorded, however - only those with specific headers are captured. These headers include Content-Type: x-application/hessian and application/x-hessian.

To record a Hessian request, you need to change the Java client settings to use NeoLoad as a proxy. This involves launching NeoLoad and beginning a recording session. Since a standalone Java application doesn't require a browser, it's recommended to clear the Launch browser checkbox.

Here's a step-by-step guide to recording a Hessian request:

By following these steps, you should be able to capture the HTTP requests sent by the Java application in NeoLoad.

Spring Remoting is a powerful feature that allows you to expose your services over the network, making them accessible to clients. Spring provides several remoting techniques, including Remote Method Invocation (RMI), Spring's HTTP invoker, Hessian, and Burlap.

Here are the four remoting technologies supported by Spring:

Hessian is a lightweight binary HTTP-based protocol provided by Caucho, and Spring provides a wrapper for it, making it easy to use. Hessian is similar to Burlap, but it uses binary data instead of XML.

Apache Dubbo is a high-performance RPC framework that supports multiple serialization protocols, including Hessian and Java Serialization. It's worth noting that Dubbo has its own modified version of Hessian, which is used by default in some cases.

Dubbo's default Hessian2 protocol is similar to the general structure of Hessian, with a focus on binary data transmission. In particular, the MapDeserializer.readMap method in Dubbo's Hessian2 protocol is similar to Hessian's serialization mechanism.

When it comes to performance, Dubbo's Hessian2 protocol is generally faster than Java Serialization. This is because Hessian is a binary protocol, which reduces the overhead of data transmission compared to text-based protocols like Java Serialization.

Here's a comparison of the two protocols:

As you can see, Hessian2 is significantly faster than Java Serialization in terms of deserialization time, making it a better choice for high-performance applications.

Client Service Linkage is a crucial aspect of Spring Remoting. You can link in a service on the client using the HessianProxyFactoryBean, similar to the RMI example.

To do this, you'll create a separate bean factory or application context. This is where you'll mention the beans where the SimpleObject is using the AccountService to manage accounts.

The HessianProxyFactoryBean is the key to linking in the service at the client. You'll need to use it in the same way as with the RMI example.

In the client side, you'll need to include a Hessian based proxy bean factory. This is a requirement for Hessian remoting, as mentioned in the article.

The deserialization process is a crucial aspect of Spring Remoting. It's a complex process, but let's break it down.

Hessian deserialization typically uses Map type attributes, which triggers HashMap.put (key, value). This leads to a chain of events, including HashMap.putVal, key.hashCode, and key.equals.

The key.equals method is particularly interesting, as it can trigger a series of events, including BeanFactoryAspectInstanceFactory.getOrder, SimpleJndiBeanFactory.getType, and JndiTemplate.lookup.

Here are some common gadget chains that can be triggered during deserialization:

These chains can be quite complex, but they often rely on polymorphic characteristics, such as class attributes being of type Object. This allows attackers to set any class as a value, and then use the hash code and equals methods to trigger subsequent events.

To find these gadget chains, you can look for classes with hash code, equals, and readResolve methods. However, this can be a heavy workload, so some chain mining tools can be used to write rules and scan as needed.

Spring Remoting offers several techniques for achieving remoting, including Remote Method Invocation (RMI), Spring's HTTP invoker, Hessian, and Burlap.

Spring's RMI implementation uses RmiServiceExporter on the server side and RmiProxyFactoryBean on the client side.

Spring's HTTP invoker allows for Java serialization via HTTP, supporting any Java interface, using HttpInvokerProxyFactoryBean and HttpInvokerServiceExporter.

Hessian is a lightweight binary HTTP-based protocol provided by Caucho, with Spring providing support classes like HessianProxyFactoryBean and HessianServiceExporter.

Burlap is an XML-based protocol for remoting, similar to Hessian but using XML instead of binary data, with Spring providing support classes like BurlapProxyFactoryBean and BurlapServiceExporter.

Note that Burlap's support has been deprecated since Spring 4.0.

Here are the remoting technologies supported by Spring: