[
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Guillaume Nodet updated CAMEL-23250:
------------------------------------
Description:
Add a security policy enforcement system that detects insecure configuration at
startup and warns or prevents the application from starting.
h3. Security Categories
|| Category || Description || Examples ||
| {{secret}} | Plain-text passwords/tokens not using secure placeholders |
{{camel.ssl.keystorePassword=plaintext}} |
| {{insecure:ssl}} | Disabled certificate validation or hostname verification |
{{trustAllCertificates=true}}, {{hostnameVerification=false}} |
| {{insecure:serialization}} | Dangerous deserialization of untrusted data |
{{allowJavaSerializedObject=true}}, {{transferExchange=true}} |
| {{insecure:dev}} | Development-only features left enabled |
{{devConsoleEnabled=true}}, {{uploadEnabled=true}} |
h3. Policy Levels
- *allow* — no warnings, silently allow the configuration
- *warn* — log a warning at startup (default for dev/test profiles)
- *fail* — throw an exception and prevent startup (default for prod profile)
h3. Features
# *Configurable policies* under {{camel.security.*}} namespace with global and
per-category overrides
# *Profile-aware defaults*: {{camel.main.profile=prod}} automatically defaults
to {{fail}} policy; users can override via {{camel.security.policy=warn}}
# *Property allowlist*: {{camel.security.allowedProperties}} to exclude
specific properties from checks
# *Plain-text secret detection*: flags passwords/tokens not using {{RAW()}},
{{\{\{vault:...\}\}}}, {{$\{env:...\}}}, or {{\{\{...\}\}}} placeholders
# *Health check*: {{SecurityPolicyHealthCheck}} readiness check reports
violations at runtime
# *Context plugin*: {{SecurityPolicyResult}} stores violations for programmatic
access
# *Annotation-driven*: new {{security}} and {{insecureValue}} attributes on
{{@UriParam}}, {{@Metadata}}, {{@UriPath}} — build tools auto-generate the
tracking map
# *57+ components annotated* across AWS, Netty, JMS, Paho MQTT, Splunk, Huawei
Cloud, core SSL
# *Documentation* in {{security.adoc}}
h3. Configuration Example
{code}
# Global policy (default: warn, or fail when profile=prod)
camel.security.policy = fail
# Per-category overrides
camel.security.secretPolicy = fail
camel.security.insecureSslPolicy = fail
camel.security.insecureDevPolicy = warn
# Allow specific properties
camel.security.allowedProperties = camel.component.aws2-s3.trustAllCertificates
{code}
h3. Key Files
- {{core/camel-util/.../SecurityUtils.java}} — detection logic and
auto-generated security options map
- {{core/camel-util/.../SecurityViolation.java}} — shared violation record
- {{core/camel-main/.../SecurityConfigurationProperties.java}} — policy
configuration
- {{core/camel-main/.../ProfileConfigurer.java}} — profile-aware defaults
- {{core/camel-main/.../SecurityPolicyResult.java}} — context plugin for
runtime access
- {{core/camel-health/.../SecurityPolicyHealthCheck.java}} — readiness health
check
- {{docs/user-manual/.../security.adoc}} — documentation
PR: https://github.com/apache/camel/pull/22269
was:
Currently, Camel has a well-established pipeline for detecting and masking
secret properties (via @Metadata(secret=true) and SensitiveUtils), but it only
masks values in logs and console output. There is no mechanism to warn users
when secrets are configured via plain-text properties instead of using secure
alternatives like RAW(), vault references ({{vault:...}}), or environment
variable placeholders (${env:...}).
This improvement should:
h3. 1. Warn on plain-text secrets
*Log a warning at startup* when a secret property is set via plain-text (not
RAW(), not {{vault:...}}, not ${env:...}). This could be added in
MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
h3. 2. Add a configuration flag
Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
whether warnings are emitted, allowing users to suppress them in development
environments.
h3. 3. Fix PropertiesDevConsole JSON output
PropertiesDevConsole currently does *not mask secret values in JSON mode* (only
masks in text mode), potentially exposing secrets via monitoring endpoints.
h3. 4. Strict mode
Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
would fail startup if plain-text secrets are detected, for production hardening.
h3. 5. Warn on development-only settings in production
Beyond secrets, some configuration options are inherently unsafe for production
use, such as:
- *camel.ssl.selfSigned=true* — generates an ephemeral self-signed certificate
(added in CAMEL-22497)
- *camel.ssl.trustAllCertificates=true* — disables certificate validation
These are not secrets (they are boolean flags) so @Metadata(secret=true) is not
the right mechanism. Consider adding a new annotation attribute like
@Metadata(label = "development") or @Metadata(warnInProduction = true) that
would trigger a startup warning when these options are enabled in a
non-development profile. This would catch cases where development settings are
accidentally left in production configuration.
Related: there are currently 143+ secret keys detected by SensitiveUtils. The
detection infrastructure is solid - it just needs to be leveraged for
prevention, not just masking.
Key files:
- core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
(sensitiveAwareLogging)
- core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
-
core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
-
core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
(selfSigned, trustAllCertificates)
Summary: Security policy enforcement for insecure configuration at
startup (was: Warn or prevent plain-text secrets in configuration properties)
> Security policy enforcement for insecure configuration at startup
> -----------------------------------------------------------------
>
> Key: CAMEL-23250
> URL: https://issues.apache.org/jira/browse/CAMEL-23250
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Guillaume Nodet
> Assignee: Guillaume Nodet
> Priority: Major
>
> Add a security policy enforcement system that detects insecure configuration
> at startup and warns or prevents the application from starting.
> h3. Security Categories
> || Category || Description || Examples ||
> | {{secret}} | Plain-text passwords/tokens not using secure placeholders |
> {{camel.ssl.keystorePassword=plaintext}} |
> | {{insecure:ssl}} | Disabled certificate validation or hostname verification
> | {{trustAllCertificates=true}}, {{hostnameVerification=false}} |
> | {{insecure:serialization}} | Dangerous deserialization of untrusted data |
> {{allowJavaSerializedObject=true}}, {{transferExchange=true}} |
> | {{insecure:dev}} | Development-only features left enabled |
> {{devConsoleEnabled=true}}, {{uploadEnabled=true}} |
> h3. Policy Levels
> - *allow* — no warnings, silently allow the configuration
> - *warn* — log a warning at startup (default for dev/test profiles)
> - *fail* — throw an exception and prevent startup (default for prod profile)
> h3. Features
> # *Configurable policies* under {{camel.security.*}} namespace with global
> and per-category overrides
> # *Profile-aware defaults*: {{camel.main.profile=prod}} automatically
> defaults to {{fail}} policy; users can override via
> {{camel.security.policy=warn}}
> # *Property allowlist*: {{camel.security.allowedProperties}} to exclude
> specific properties from checks
> # *Plain-text secret detection*: flags passwords/tokens not using {{RAW()}},
> {{\{\{vault:...\}\}}}, {{$\{env:...\}}}, or {{\{\{...\}\}}} placeholders
> # *Health check*: {{SecurityPolicyHealthCheck}} readiness check reports
> violations at runtime
> # *Context plugin*: {{SecurityPolicyResult}} stores violations for
> programmatic access
> # *Annotation-driven*: new {{security}} and {{insecureValue}} attributes on
> {{@UriParam}}, {{@Metadata}}, {{@UriPath}} — build tools auto-generate the
> tracking map
> # *57+ components annotated* across AWS, Netty, JMS, Paho MQTT, Splunk,
> Huawei Cloud, core SSL
> # *Documentation* in {{security.adoc}}
> h3. Configuration Example
> {code}
> # Global policy (default: warn, or fail when profile=prod)
> camel.security.policy = fail
> # Per-category overrides
> camel.security.secretPolicy = fail
> camel.security.insecureSslPolicy = fail
> camel.security.insecureDevPolicy = warn
> # Allow specific properties
> camel.security.allowedProperties =
> camel.component.aws2-s3.trustAllCertificates
> {code}
> h3. Key Files
> - {{core/camel-util/.../SecurityUtils.java}} — detection logic and
> auto-generated security options map
> - {{core/camel-util/.../SecurityViolation.java}} — shared violation record
> - {{core/camel-main/.../SecurityConfigurationProperties.java}} — policy
> configuration
> - {{core/camel-main/.../ProfileConfigurer.java}} — profile-aware defaults
> - {{core/camel-main/.../SecurityPolicyResult.java}} — context plugin for
> runtime access
> - {{core/camel-health/.../SecurityPolicyHealthCheck.java}} — readiness health
> check
> - {{docs/user-manual/.../security.adoc}} — documentation
> PR: https://github.com/apache/camel/pull/22269
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
