[
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18068576#comment-18068576
]
Guillaume Nodet commented on CAMEL-23250:
-----------------------------------------
**Status Update — All Recommendations Addressed**
The PR (https://github.com/apache/camel/pull/22269) now covers all four
recommendations:
*1. Runtime warnings for insecure settings* — ✅ Implemented
The security policy framework detects and warns/fails at startup for all
tracked options (13 options across ssl, serialization, and dev categories).
Default policy is {{warn}}, configurable to {{fail}} or {{allow}}.
*2. Environment-aware enforcement* — ✅ Implemented
When {{camel.main.profile=prod}}, the global security policy automatically
defaults to {{fail}}, preventing startup with insecure configurations. Users
can override via {{camel.security.policy=warn}}. Dev/test profiles keep the
default {{warn}} behavior. This applies to Camel Main (standalone/JBang) only —
Spring Boot and Quarkus have their own profile mechanisms.
*3. Audit of all secret annotations* — ✅ Already covered
The existing {{UpdateSensitizeHelper}} Maven mojo systematically detects
secrets from {{@Metadata(secret=true)}} annotations across all components and
generates {{SensitiveUtils.java}} (89 unique patterns). This feeds into the
security policy enforcement.
*4. Consistent pattern for disable-security properties* — ✅ Implemented (with
intentional exclusions)
57+ components annotated with {{@UriParam(security=...)}} including all AWS,
Netty, JMS, Paho MQTT, Splunk, and Huawei Cloud components.
*Intentionally excluded from annotation:*
- Docker {{tlsVerify}}, Minio/Nats/Infinispan {{secure}} — these control
whether TLS is _used at all_ (transport choice), not whether verification is
_bypassed_. Flagging them would warn on every legitimate plain-HTTP connection
to internal services.
- MongoDB {{sslValidationEnabled}} — not a {{@UriParam}}-annotated
configuration property; it is on a programmatic helper class
({{SslAwareMongoClient}}) and cannot be tracked by the annotation framework.
_Claude Code on behalf of Guillaume Nodet_
> Warn or prevent plain-text secrets in configuration properties
> --------------------------------------------------------------
>
> Key: CAMEL-23250
> URL: https://issues.apache.org/jira/browse/CAMEL-23250
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Guillaume Nodet
> Assignee: Guillaume Nodet
> Priority: Major
>
> Currently, Camel has a well-established pipeline for detecting and masking
> secret properties (via @Metadata(secret=true) and SensitiveUtils), but it
> only masks values in logs and console output. There is no mechanism to warn
> users when secrets are configured via plain-text properties instead of using
> secure alternatives like RAW(), vault references ({{vault:...}}), or
> environment variable placeholders (${env:...}).
> This improvement should:
> h3. 1. Warn on plain-text secrets
> *Log a warning at startup* when a secret property is set via plain-text (not
> RAW(), not {{vault:...}}, not ${env:...}). This could be added in
> MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
> h3. 2. Add a configuration flag
> Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
> whether warnings are emitted, allowing users to suppress them in development
> environments.
> h3. 3. Fix PropertiesDevConsole JSON output
> PropertiesDevConsole currently does *not mask secret values in JSON mode*
> (only masks in text mode), potentially exposing secrets via monitoring
> endpoints.
> h3. 4. Strict mode
> Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
> would fail startup if plain-text secrets are detected, for production
> hardening.
> h3. 5. Warn on development-only settings in production
> Beyond secrets, some configuration options are inherently unsafe for
> production use, such as:
> - *camel.ssl.selfSigned=true* — generates an ephemeral self-signed
> certificate (added in CAMEL-22497)
> - *camel.ssl.trustAllCertificates=true* — disables certificate validation
> These are not secrets (they are boolean flags) so @Metadata(secret=true) is
> not the right mechanism. Consider adding a new annotation attribute like
> @Metadata(label = "development") or @Metadata(warnInProduction = true) that
> would trigger a startup warning when these options are enabled in a
> non-development profile. This would catch cases where development settings
> are accidentally left in production configuration.
> Related: there are currently 143+ secret keys detected by SensitiveUtils. The
> detection infrastructure is solid - it just needs to be leveraged for
> prevention, not just masking.
> Key files:
> - core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
> (sensitiveAwareLogging)
> - core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
> -
> core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
> -
> core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
> (selfSigned, trustAllCertificates)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
