[
https://issues.apache.org/jira/browse/CAMEL-18962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-18962:
--------------------------------
Summary: camel-as2 - AS2Consumer always accepts unencrpted/unsigned data
(was: AS2Consumer always accepts unencrpted/unsigned data)
> camel-as2 - AS2Consumer always accepts unencrpted/unsigned data
> ---------------------------------------------------------------
>
> Key: CAMEL-18962
> URL: https://issues.apache.org/jira/browse/CAMEL-18962
> Project: Camel
> Issue Type: Improvement
> Components: camel-as2
> Reporter: dennis lucero
> Priority: Major
>
> When setting up an AS2Cosumer (server) security is important. Thus in mind
> AS2 should use encryption and signing to verify the incoming data before
> processing it (or supplying the message for further processing). That assures
> that the originator of the data is a trusted party.
> Camel AS2 consumer accepts encrypted and signed data and at least decryption
> is working.
> *Problem*
> The problem is that the consumer also accepts unencrypted data. So even if I
> only want to receive encrpyted data from a trusted party, some third party
> disguised as the trused party, could send a malicious unencrypted payload
> and the server would just accept and process it.
> For example sending plain data with the content type "application/edifact" is
> always accepted.
> *Possible solution*
> The consumer should be configurable what content type is allowed. Also the
> already existing producer-parameter "as2MessageStructure" may be used for
> that purpose.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
