Skip to content

CAMEL-23250: Security policy enforcement with profile-aware defaults#22269

Open
gnodet wants to merge 7 commits intomainfrom
CAMEL-23250-security-policy-enforcement
Open

CAMEL-23250: Security policy enforcement with profile-aware defaults#22269
gnodet wants to merge 7 commits intomainfrom
CAMEL-23250-security-policy-enforcement

Conversation

@gnodet
Copy link
Copy Markdown
Contributor

@gnodet gnodet commented Mar 26, 2026
edited
Loading

Summary

Built-in security policy enforcement that detects insecure configuration at startup and either warns or prevents the application from starting.

  • 4 security categories: secret (plain-text passwords), insecure:ssl (disabled cert verification), insecure:serialization (Java object deserialization), insecure:dev (dev-only features in prod)
  • 3 policy levels: allow (silent), warn (log, default), fail (block startup)
  • Profile-aware: prod profile auto-sets policy=fail; dev profile auto-sets insecureDevPolicy=allow
  • Per-category overrides: e.g. camel.security.insecureSslPolicy=allow while global is fail
  • Allowlist: exempt specific properties via camel.security.allowedProperties
  • Health check: exposes violations via Camel health check API (DOWN for fail-level only, UP with details for warn-level)
  • Programmatic API: SecurityPolicyResult accessible as a CamelContext plugin
  • Design proposal: proposals/security.adoc — full design doc for the security framework

Commit structure (for easier review)

  1. b0834ac Fix missing secret=true annotations — CyberArk authToken, IBM Event Streams eventStreamUsername/eventStreamPassword (2 files)
  2. 5c89a07 Security policy enforcement framework — all new classes, tooling, component annotations, tests, docs (90 files)
  3. ca52d14 Regenerate catalog and generated files — JSON metadata and endpoint DSL (423 files, reviewers can skip this commit)
  4. bfff8e6 Add security design proposal and update AGENTS.mdproposals/security.adoc design doc + area-to-proposal mapping in AGENTS.md/CLAUDE.md
  5. 54ffc82 Fix generated main.adoc — remove stale {zwsp} markers
  6. 2674828 Address review findings — carry policy in violations, RAW() as insecure, case-insensitive policy, health check fix, dev profile defaults, missing annotations on netty/activemq/aggregation repos, expanded tests (42 total), doc fixes

Key files to review

Framework core:

Design proposal:

Tooling (annotation → generated map pipeline):

Health check:

Tests & docs:

Test plan

  • 32 unit tests in MainSecurityPolicyTest (all policy levels, categories, overrides, profiles, case-insensitivity, multiple violations, policy carried in violations)
  • 10 unit tests in SecurityUtilsTest (plain-text detection, getSecurityOption, isInsecureValue, detectViolations, allowed keys, null handling)
  • Build succeeds with mvn install -B -pl core/camel-main -DskipTests -am
  • All tests pass with mvn test -B -pl core/camel-main -Dtest=MainSecurityPolicyTest
  • All tests pass with mvn test -B -pl core/camel-util -Dtest=SecurityUtilsTest
  • Generated files are up to date (no uncommitted changes after build)
  • Code formatted with mvn formatter:format impsort:sort

Follow-up ideas

Findings from a security audit that are not covered by this PR but could be addressed in follow-up tickets:

Near-term

  1. Infinispan deserialization filterDefaultExchangeHolderUtils uses ClassLoadingAwareObjectInputStream without JEP-290 setObjectInputFilter(). Should add the same default filter (java.**;org.apache.camel.**;!*) used by SQL/LevelDB/Cassandra/Consul stores.

  2. TLS protocol version filtering — Splunk and Paho MQTT expose SSLv3/TLSv1 in their protocol enums. The global SSLContextParameters default filtering only excludes SSL.* regex. Consider also excluding TLSv1 and TLSv1.1 by default.

Medium-term

  1. FIPS compliance category — The framework already supports arbitrary categories via resolvePolicy()'s default → null fallback. Adding insecure:fips requires annotating non-FIPS algorithms and adding a fipsPolicy field to SecurityConfigurationProperties.

  2. SSRF mitigation — Add an optional URI whitelist mechanism for toD/recipientList dynamic routing.

  3. Expression language sandboxing — OGNL, Groovy, MVEL, SpEL all allow arbitrary code execution. Not config-level (the framework can't catch this), but documenting the risk in security.adoc would help users make informed choices.

Low priority

  1. HTTP header CRLF validation — Add header value sanitization in camel-http-common to prevent header injection.

  2. MongoDB trust-all TrustManagerSslAwareMongoClient hardcodes a trust-all TrustManager. Not trackable by the annotation framework since it's programmatic, not a @UriParam.

@gnodet gnodet requested review from davsclaus and oscerd March 26, 2026 00:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 26, 2026

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

  • First-time contributors require MANUAL approval for the GitHub Actions to run
  • You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
  • You can label PRs using build-all, build-dependents, skip-tests and test-dependents to fine-tune the checks executed by this PR.
  • Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

@gnodet gnodet marked this pull request as draft March 26, 2026 06:24
@gnodet gnodet changed the title CAMEL-23250: Warn or prevent plain-text secrets and insecure configuration CAMEL-23250: Security policy enforcement with profile-aware defaults Mar 26, 2026
@gnodet gnodet mentioned this pull request Mar 26, 2026
Open
5 tasks
@gnodet gnodet marked this pull request as ready for review March 27, 2026 07:43
gnodet and others added 2 commits March 27, 2026 09:53
@gnodet @claude
CAMEL-23250: Fix missing secret=true annotations on vault configurations
b0834ac 
- CyberArkVaultConfiguration: mark authToken as secret
- IBMSecretsManagerVaultConfiguration: mark eventStreamUsername and
  eventStreamPassword as secret

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet @claude
CAMEL-23250: Security policy enforcement framework
5c89a07 
Add a built-in security policy enforcement mechanism that detects
insecure configuration at startup and either warns or prevents the
application from starting, depending on the configured policy.

Framework components:
- SecurityUtils and SecurityViolation in camel-util for detection logic
- SecurityConfigurationProperties for camel.security.* configuration
- SecurityPolicyResult as a CamelContext plugin for runtime access
- SecurityPolicyHealthCheck for health monitoring
- Profile-aware defaults: prod profile auto-sets policy=fail
- security attribute on @UriParam/@UriPath/@metadata annotations
- Tooling support to generate security options map from annotations

Security categories: secret, insecure:ssl, insecure:serialization,
insecure:dev. Policy levels: allow, warn (default), fail.

Annotated 60+ component options across AWS, Huawei, JMS, Netty,
HTTP, Splunk, Paho, and other components with security categories.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet gnodet force-pushed the CAMEL-23250-security-policy-enforcement branch from 8da3b9c to c25dd5c Compare March 27, 2026 08:55
@gnodet @claude
CAMEL-23250: Regenerate catalog and generated files
ca52d14 
Regenerated component JSON metadata, endpoint DSL factories, and
catalog resources to reflect the new security annotations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet gnodet force-pushed the CAMEL-23250-security-policy-enforcement branch from c25dd5c to ca52d14 Compare March 27, 2026 09:23
gnodet and others added 4 commits March 27, 2026 16:44
@gnodet @claude
CAMEL-23250: Add security design proposal and update AGENTS.md
bfff8e6 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet @claude
CAMEL-23250: Fix generated main.adoc to remove stale {zwsp} markers
54ffc82 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet @claude
CAMEL-23250: Address security policy review findings
2674828 
- SecurityViolation now carries effective policy from detection phase
- RAW() no longer treated as secure (it's a URI encoding wrapper, not security)
- Policy validation is case-insensitive (FAIL/Warn/allow all accepted)
- Health check: DOWN only for fail-level violations, UP for warn-level
- Dev profile auto-defaults insecureDevPolicy=allow
- Add missing security annotations: netty (transferExchange, allowSerializedHeaders),
  activemq/activemq6 (trustAllPackages), 11 aggregation repositories (allowSerializedHeaders)
- Forward-compatible collectSecretOption (also checks security="secret")
- Add @SInCE 4.19.0 to public API classes
- Comprehensive unit tests for SecurityUtils (10 tests) and expanded MainSecurityPolicyTest (32 tests)
- Fix docs: RAW() note, ${sys:} escape, proposals health check status

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gnodet @claude
CAMEL-23250: Regenerate catalog and generated files for review fixes
7d1ca40 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oscerd oscerd oscerd approved these changes

@davsclaus davsclaus Awaiting requested review from davsclaus

Assignees

No one assigned

Labels

catalog components components-ai components-aws components-azure components-jms components-kafka core docs dsl tooling tooling-maven

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gnodet @oscerd