This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 4a903e2b8f3c Align dependencies with Spring Boot 4.1.0 (#23924)
4a903e2b8f3c is described below
commit 4a903e2b8f3c10014ded822d6fe5e08a65f638f0
Author: Federico Mariani <[email protected]>
AuthorDate: Thu Jun 11 21:08:12 2026 +0200
Align dependencies with Spring Boot 4.1.0 (#23924)
* Align dependencies with Spring Boot 4.1.0
Update spring-boot 4.0.6 -> 4.1.0 and align managed dependency
versions with the Spring Boot 4.1.0 BOM:
- spring-batch 6.0.3 -> 6.0.4
- spring-data-redis 4.0.5 -> 4.1.0
- spring-rabbitmq 4.0.3 -> 4.1.0
- spring-vault-core 4.0.2 -> 4.1.0
- netty 4.2.12 -> 4.2.15
- httpclient5 5.5.2 -> 5.6.1
- infinispan 16.0.13 -> 16.1.4
- infinispan-protostream 6.0.2 -> 6.0.7
- testcontainers 2.0.3 -> 2.0.5
Migrate infinispan-commons-test to infinispan-testing as the artifact
was removed in Infinispan 16.1.x.
* CAMEL-23375: Fix double gzip decompression with httpclient 5.6+
httpclient 5.6 no longer removes Content-Encoding headers after
auto-decompression. Read encoding from entity.getContentEncoding()
instead of the response header to avoid double-decompressing.
* CAMEL-23375: Fix double gzip decompression with httpclient 5.6+
httpclient 5.6 no longer removes Content-Encoding, Content-Length, and
Content-MD5 headers after auto-decompression. Strip them from the
response after executeMethod when the entity was auto-decompressed,
restoring the 5.5.2 invariant for all downstream code.
Also fix TLS hostname verification: httpclient 5.6 changed
DefaultClientTlsStrategy to use BOTH policy, enabling the JDK built-in
hostname check which runs before the custom verifier. Use
ClientTlsStrategyBuilder with CLIENT policy so NoopHostnameVerifier
actually disables verification.
---
.../apache/camel/component/http/HttpComponent.java | 24 +++++++++++--------
.../apache/camel/component/http/HttpProducer.java | 25 +++++++++++++++++---
.../http/LoggingHttpActivityListener.java | 9 ++++----
.../camel/component/http/HttpCompressionTest.java | 27 ++++++++++++++++++++++
.../camel-infinispan-embedded/pom.xml | 2 +-
.../InfinispanEmbeddedClusteredConsumerTest.java | 2 +-
.../camel-infinispan/camel-infinispan/pom.xml | 2 +-
.../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 24 +++++++++++++++++++
parent/pom.xml | 20 ++++++++--------
9 files changed, 106 insertions(+), 29 deletions(-)
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
index 755f6e564672..fdaba0e6828c 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java
@@ -24,6 +24,7 @@ import java.util.Map;
import java.util.Optional;
import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
import org.apache.camel.CamelContext;
import org.apache.camel.CamelContextAware;
@@ -62,8 +63,9 @@ import
org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
import
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
import org.apache.hc.client5.http.io.HttpClientConnectionManager;
-import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
+import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
import org.apache.hc.core5.http.io.SocketConfig;
import org.apache.hc.core5.http.protocol.HttpContext;
@@ -604,14 +606,18 @@ public class HttpComponent extends HttpCommonComponent
implements RestProducerFa
HostnameVerifier x509HostnameVerifier,
SSLContextParameters sslContextParams, boolean useSystemProperties)
throws GeneralSecurityException, IOException {
- // create the TLS strategy to use
- if (sslContextParams != null) {
- return new
DefaultClientTlsStrategy(sslContextParams.createSSLContext(getCamelContext()),
x509HostnameVerifier);
- } else {
- return new DefaultClientTlsStrategy(
- useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault(),
- x509HostnameVerifier);
- }
+ SSLContext sslContext = sslContextParams != null
+ ? sslContextParams.createSSLContext(getCamelContext())
+ : (useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault());
+ // httpclient 5.6 changed DefaultClientTlsStrategy to use BOTH policy
by default,
+ // which enables the JDK built-in hostname check via SSLParameters in
addition to the
+ // custom verifier. Use CLIENT so only the configured verifier decides
— this restores
+ // the 5.5.2 behavior where NoopHostnameVerifier actually disables
verification.
+ return ClientTlsStrategyBuilder.create()
+ .setSslContext(sslContext)
+ .setHostnameVerifier(x509HostnameVerifier)
+ .setHostVerificationPolicy(HostnameVerificationPolicy.CLIENT)
+ .buildClassic();
}
protected HttpClientConnectionManager createConnectionManager(
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
index 8931a5607fa3..251f8ba23275 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/HttpProducer.java
@@ -71,6 +71,7 @@ import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HeaderElements;
import org.apache.hc.core5.http.HttpEntity;
import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.HttpHeaders;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.HttpVersion;
import org.apache.hc.core5.http.io.HttpClientResponseHandler;
@@ -259,6 +260,10 @@ public class HttpProducer extends DefaultProducer
implements LineNumberAware {
if (LOG.isDebugEnabled()) {
LOG.debug("Http responseCode: {}",
responseCode);
}
+ // httpclient 5.6+ auto-decompresses but no longer
removes the stale
+ // Content-Encoding, Content-Length, and
Content-MD5 headers.
+ // Strip them here to restore the 5.5.2 invariant
for all downstream code.
+ removeStaleCompressionHeaders(httpResponse);
if (!throwException) {
// if we do not use failed exception then
populate response for all response codes
HttpProducer.this.populateResponse(exchange,
httpRequest, httpResponse, strategy, responseCode);
@@ -512,6 +517,21 @@ public class HttpProducer extends DefaultProducer
implements LineNumberAware {
return answer;
}
+ /**
+ * httpclient 5.6+ auto-decompresses response bodies but no longer strips
the stale Content-Encoding, Content-Length
+ * (compressed byte count), and Content-MD5 headers. Remove them here so
every downstream reader sees the same
+ * invariant as 5.5.2.
+ */
+ private static void removeStaleCompressionHeaders(ClassicHttpResponse
httpResponse) {
+ HttpEntity entity = httpResponse.getEntity();
+ if (entity != null && entity.getContentEncoding() == null
+ && httpResponse.containsHeader(Exchange.CONTENT_ENCODING)) {
+ httpResponse.removeHeaders(Exchange.CONTENT_ENCODING);
+ httpResponse.removeHeaders(Exchange.CONTENT_LENGTH);
+ httpResponse.removeHeaders(HttpHeaders.CONTENT_MD5);
+ }
+ }
+
/**
* Extracts the response from the method as a InputStream.
*/
@@ -528,8 +548,7 @@ public class HttpProducer extends DefaultProducer
implements LineNumberAware {
return null;
}
- Header header =
httpResponse.getFirstHeader(HttpConstants.CONTENT_ENCODING);
- String contentEncoding = header != null ? header.getValue() : null;
+ String contentEncoding = entity.getContentEncoding();
final boolean gzipEncoding =
exchange.getProperty(Exchange.SKIP_GZIP_ENCODING, Boolean.FALSE, Boolean.class);
if (!gzipEncoding) {
@@ -537,7 +556,7 @@ public class HttpProducer extends DefaultProducer
implements LineNumberAware {
}
// Honor the character encoding
String contentType = null;
- header = httpResponse.getFirstHeader("content-type");
+ Header header = httpResponse.getFirstHeader("content-type");
if (header != null) {
contentType = header.getValue();
// find the charset and set it to the Exchange
diff --git
a/components/camel-http/src/main/java/org/apache/camel/component/http/LoggingHttpActivityListener.java
b/components/camel-http/src/main/java/org/apache/camel/component/http/LoggingHttpActivityListener.java
index 49cb945d92de..22a5645b3477 100644
---
a/components/camel-http/src/main/java/org/apache/camel/component/http/LoggingHttpActivityListener.java
+++
b/components/camel-http/src/main/java/org/apache/camel/component/http/LoggingHttpActivityListener.java
@@ -180,15 +180,16 @@ public class LoggingHttpActivityListener extends
ServiceSupport implements Camel
if (!accepted) {
lines.add("WARN: Cannot log HTTP body because the
body is binary");
} else {
- Header ce = request != null
+ Header reqCe = request != null
?
request.getHeader(HttpHeaders.CONTENT_ENCODING)
- :
response.getHeader(HttpHeaders.CONTENT_ENCODING);
+ : null;
+ String ce = reqCe != null ? reqCe.getValue() :
e.getContentEncoding();
ByteArrayOutputStream bos = new
ByteArrayOutputStream();
e.writeTo(bos);
String data;
- if (ce != null &&
GZIPHelper.isGzip(ce.getValue())) {
+ if (ce != null && GZIPHelper.isGzip(ce)) {
ByteArrayInputStream bis = new
ByteArrayInputStream(bos.toByteArray());
- InputStream is =
GZIPHelper.uncompressGzip(ce.getValue(), bis);
+ InputStream is = GZIPHelper.uncompressGzip(ce,
bis);
data = new String(is.readAllBytes());
IOHelper.close(is);
} else {
diff --git
a/components/camel-http/src/test/java/org/apache/camel/component/http/HttpCompressionTest.java
b/components/camel-http/src/test/java/org/apache/camel/component/http/HttpCompressionTest.java
index 85906a00a973..697861ab9d1d 100644
---
a/components/camel-http/src/test/java/org/apache/camel/component/http/HttpCompressionTest.java
+++
b/components/camel-http/src/test/java/org/apache/camel/component/http/HttpCompressionTest.java
@@ -105,6 +105,33 @@ public class HttpCompressionTest extends BaseHttpTest {
assertBody(out.getBody(String.class));
}
+ @Test
+ public void compressedHttpPostWithAutoDecompressionDisabled() {
+ HttpComponent http = context.getComponent("http", HttpComponent.class);
+ http.setContentCompressionDisabled(true);
+ try {
+ Exchange exchange = template.request(
+ "http://localhost:"; + localServer.getLocalPort() + "/",
+ exchange1 -> {
+ exchange1.getIn().setHeader(Exchange.CONTENT_TYPE,
"text/plain");
+ exchange1.getIn().setHeader(Exchange.CONTENT_ENCODING,
"gzip");
+ exchange1.getIn().setBody(getBody());
+ });
+
+ assertNotNull(exchange);
+
+ Message out = exchange.getMessage();
+ assertNotNull(out);
+
+ Map<String, Object> headers = out.getHeaders();
+ assertEquals(HttpStatus.SC_OK,
headers.get(Exchange.HTTP_RESPONSE_CODE));
+
+ assertBody(out.getBody(String.class));
+ } finally {
+ http.setContentCompressionDisabled(false);
+ }
+ }
+
@Override
protected HttpProcessor getBasicHttpProcessor() {
List<HttpRequestInterceptor> requestInterceptors = new ArrayList<>();
diff --git a/components/camel-infinispan/camel-infinispan-embedded/pom.xml
b/components/camel-infinispan/camel-infinispan-embedded/pom.xml
index efa68932742b..46de724d3053 100644
--- a/components/camel-infinispan/camel-infinispan-embedded/pom.xml
+++ b/components/camel-infinispan/camel-infinispan-embedded/pom.xml
@@ -99,7 +99,7 @@
</dependency>
<dependency>
<groupId>org.infinispan</groupId>
- <artifactId>infinispan-commons-test</artifactId>
+ <artifactId>infinispan-testing</artifactId>
<version>${infinispan-version}</version>
<scope>test</scope>
</dependency>
diff --git
a/components/camel-infinispan/camel-infinispan-embedded/src/test/java/org/apache/camel/component/infinispan/embedded/InfinispanEmbeddedClusteredConsumerTest.java
b/components/camel-infinispan/camel-infinispan-embedded/src/test/java/org/apache/camel/component/infinispan/embedded/InfinispanEmbeddedClusteredConsumerTest.java
index 97b3deb5face..4312b513000b 100644
---
a/components/camel-infinispan/camel-infinispan-embedded/src/test/java/org/apache/camel/component/infinispan/embedded/InfinispanEmbeddedClusteredConsumerTest.java
+++
b/components/camel-infinispan/camel-infinispan-embedded/src/test/java/org/apache/camel/component/infinispan/embedded/InfinispanEmbeddedClusteredConsumerTest.java
@@ -21,8 +21,8 @@ import java.util.concurrent.TimeUnit;
import org.apache.camel.builder.RouteBuilder;
import org.apache.camel.component.infinispan.InfinispanConstants;
import org.apache.camel.component.mock.MockEndpoint;
-import org.infinispan.commons.test.TestResourceTracker;
import org.infinispan.distribution.MagicKey;
+import org.infinispan.testing.TestResourceTracker;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
diff --git a/components/camel-infinispan/camel-infinispan/pom.xml
b/components/camel-infinispan/camel-infinispan/pom.xml
index 3cedc7d86e37..fbbf79b81853 100644
--- a/components/camel-infinispan/camel-infinispan/pom.xml
+++ b/components/camel-infinispan/camel-infinispan/pom.xml
@@ -109,7 +109,7 @@
</dependency>
<dependency>
<groupId>org.infinispan</groupId>
- <artifactId>infinispan-commons-test</artifactId>
+ <artifactId>infinispan-testing</artifactId>
<version>${infinispan-version}</version>
<scope>test</scope>
</dependency>
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
index 5e94871f03fe..58ab635be92f 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
@@ -2205,3 +2205,27 @@ is migrated to JSON the next time the metadata is
updated.
Because older versions cannot read the new JSON metadata, downgrading after
new key metadata has been
written is not supported.
+
+=== camel-http
+
+The `camel-http` component now requires Apache HttpClient 5.5 or later
(previously 5.4+). The
+`ClientTlsStrategyBuilder.buildClassic()` and `setHostVerificationPolicy()`
APIs used internally
+were introduced in HttpClient 5.5. Overriding the `httpclient5` version to
5.4.x or earlier will
+produce `NoSuchMethodError` at runtime.
+
+==== TLS hostname verification policy
+
+`camel-http` now explicitly uses `HostnameVerificationPolicy.CLIENT` when
constructing the TLS
+strategy. This means only the configured `x509HostnameVerifier` (defaulting to
+`DefaultHostnameVerifier`) decides whether a certificate matches the target
hostname. The JDK's
+built-in endpoint-identification check via
`SSLParameters.setEndpointIdentificationAlgorithm("https")`
+is not applied.
+
+This restores the behavior from HttpClient 5.5.2, where `NoopHostnameVerifier`
actually disabled
+hostname verification. HttpClient 5.6 changed the default to
`HostnameVerificationPolicy.BOTH`,
+which enables the JDK check alongside the custom verifier — making
`NoopHostnameVerifier` ineffective
+because the JDK check runs first and rejects mismatched certificates.
+
+The `CLIENT` policy is a deliberate choice: it preserves backward
compatibility and allows
+`NoopHostnameVerifier` to work as documented. A future release may add an
option to opt into the
+`BOTH` policy for defense-in-depth.
diff --git a/parent/pom.xml b/parent/pom.xml
index 48bff6668bd8..afc2b8b4f683 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -228,7 +228,7 @@
<mariadb-version>3.5.8</mariadb-version>
<mariadb4j-version>3.3.1</mariadb4j-version>
<httpcore-version>5.4.2</httpcore-version>
- <httpclient-version>5.5.2</httpclient-version>
+ <httpclient-version>5.6.1</httpclient-version>
<httpcore4-version>4.4.16</httpcore4-version>
<httpclient4-version>4.5.14</httpclient4-version>
<httpasyncclient-version>4.1.5</httpasyncclient-version>
@@ -244,8 +244,8 @@
<iggy-version>0.8.0</iggy-version>
<ignite-version>2.18.0</ignite-version>
<impsort-maven-plugin-version>1.13.0</impsort-maven-plugin-version>
- <infinispan-version>16.0.13</infinispan-version>
- <infinispan-protostream-version>6.0.2</infinispan-protostream-version>
+ <infinispan-version>16.1.4</infinispan-version>
+ <infinispan-protostream-version>6.0.7</infinispan-protostream-version>
<influx-java-driver-version>2.25</influx-java-driver-version>
<influx-client-java-driver-version>8.0.0</influx-client-java-driver-version>
<irclib-version>1.10</irclib-version>
@@ -396,7 +396,7 @@
<narayana-version>7.3.4.Final</narayana-version>
<neoscada-version>0.4.0</neoscada-version>
<neo4j-version>6.1.0</neo4j-version>
- <netty-version>4.2.12.Final</netty-version>
+ <netty-version>4.2.15.Final</netty-version>
<networknt-json-schema-validator-version>2.0.1</networknt-json-schema-validator-version>
<nimbus-jose-jwt>10.9.1</nimbus-jose-jwt>
<olingo2-version>2.0.13</olingo2-version>
@@ -483,13 +483,13 @@
<spock-version>2.4-groovy-5.0</spock-version>
<spring-ai-version>1.1.7</spring-ai-version>
<spring-cloud-config-version>5.0.3</spring-cloud-config-version>
- <spring-batch-version>6.0.3</spring-batch-version>
- <spring-boot-version>4.0.6</spring-boot-version>
- <spring-data-redis-version>4.0.5</spring-data-redis-version>
+ <spring-batch-version>6.0.4</spring-batch-version>
+ <spring-boot-version>4.1.0</spring-boot-version>
+ <spring-data-redis-version>4.1.0</spring-data-redis-version>
<spring-ldap-version>4.1.0</spring-ldap-version>
- <spring-vault-core-version>4.0.2</spring-vault-core-version>
+ <spring-vault-core-version>4.1.0</spring-vault-core-version>
<spring-version>7.0.8</spring-version>
- <spring-rabbitmq-version>4.0.3</spring-rabbitmq-version>
+ <spring-rabbitmq-version>4.1.0</spring-rabbitmq-version>
<spring-security-version>7.1.0</spring-security-version>
<spring-ws-version>5.0.2</spring-ws-version>
<sql-maven-plugin-version>3.0.0</sql-maven-plugin-version>
@@ -506,7 +506,7 @@
<stringtemplate-version>4.3.4</stringtemplate-version>
<tahu-version>1.0.19</tahu-version>
<tamboui-version>0.3.0</tamboui-version>
- <testcontainers-version>2.0.3</testcontainers-version>
+ <testcontainers-version>2.0.5</testcontainers-version>
<thymeleaf-version>3.1.5.RELEASE</thymeleaf-version>
<tika-version>3.3.1</tika-version>
<twilio-version>12.1.1</twilio-version>
