[jira] [Updated] (CAMEL-23250) Security policy enforcement for insecure configuration at startup

Sat, 25 Apr 2026 03:03:01 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Guillaume Nodet updated CAMEL-23250:
------------------------------------
    Description: 
Add a security policy enforcement system that detects insecure configuration at 
startup and warns or prevents the application from starting.

h3. Security Categories

|| Category || Description || Examples ||
| {{secret}} | Plain-text passwords/tokens not using secure placeholders | 
{{camel.ssl.keystorePassword=plaintext}} |
| {{insecure:ssl}} | Disabled certificate validation or hostname verification | 
{{trustAllCertificates=true}}, {{hostnameVerification=false}} |
| {{insecure:serialization}} | Dangerous deserialization of untrusted data | 
{{allowJavaSerializedObject=true}}, {{transferExchange=true}} |
| {{insecure:dev}} | Development-only features left enabled | 
{{devConsoleEnabled=true}}, {{uploadEnabled=true}} |

h3. Policy Levels

- *allow* — no warnings, silently allow the configuration
- *warn* — log a warning at startup (default for dev/test profiles)
- *fail* — throw an exception and prevent startup (default for prod profile)

h3. Features

# *Configurable policies* under {{camel.security.*}} namespace with global and 
per-category overrides
# *Profile-aware defaults*: {{camel.main.profile=prod}} automatically defaults 
to {{fail}} policy; users can override via {{camel.security.policy=warn}}
# *Property allowlist*: {{camel.security.allowedProperties}} to exclude 
specific properties from checks
# *Plain-text secret detection*: flags passwords/tokens not using {{RAW()}}, 
{{\{\{vault:...\}\}}}, {{$\{env:...\}}}, or {{\{\{...\}\}}} placeholders
# *Health check*: {{SecurityPolicyHealthCheck}} readiness check reports 
violations at runtime
# *Context plugin*: {{SecurityPolicyResult}} stores violations for programmatic 
access
# *Annotation-driven*: new {{security}} and {{insecureValue}} attributes on 
{{@UriParam}}, {{@Metadata}}, {{@UriPath}} — build tools auto-generate the 
tracking map
# *Build-time validation*: {{BaseOptionModel.setSecurity()}} validates 
categories at build time — typos cause an immediate error
# *73 component files annotated* with {{insecure:ssl}}, 
{{insecure:serialization}}, {{insecure:dev}} categories
# *Documentation* in {{proposals/security.adoc}}

h3. Configuration Example

{code}
# Global policy (default: warn, or fail when profile=prod)
camel.security.policy = fail

# Per-category overrides
camel.security.secretPolicy = fail
camel.security.insecureSslPolicy = fail
camel.security.insecureDevPolicy = warn

# Allow specific properties
camel.security.allowedProperties = camel.component.aws2-s3.trustAllCertificates
{code}

h3. Follow-up Work

# Add {{security = "secret"}} to all remaining {{secret = true}} parameters 
(~144 component files)
# Camel Spring Boot — auto-configuration for {{camel.security.*}} properties
# Camel Quarkus — integration for {{camel.security.*}} properties

PR: https://github.com/apache/camel/pull/22269

  was:
Add a security policy enforcement system that detects insecure configuration at 
startup and warns or prevents the application from starting.

h3. Security Categories

|| Category || Description || Examples ||
| {{secret}} | Plain-text passwords/tokens not using secure placeholders | 
{{camel.ssl.keystorePassword=plaintext}} |
| {{insecure:ssl}} | Disabled certificate validation or hostname verification | 
{{trustAllCertificates=true}}, {{hostnameVerification=false}} |
| {{insecure:serialization}} | Dangerous deserialization of untrusted data | 
{{allowJavaSerializedObject=true}}, {{transferExchange=true}} |
| {{insecure:dev}} | Development-only features left enabled | 
{{devConsoleEnabled=true}}, {{uploadEnabled=true}} |

h3. Policy Levels

- *allow* — no warnings, silently allow the configuration
- *warn* — log a warning at startup (default for dev/test profiles)
- *fail* — throw an exception and prevent startup (default for prod profile)

h3. Features

# *Configurable policies* under {{camel.security.*}} namespace with global and 
per-category overrides
# *Profile-aware defaults*: {{camel.main.profile=prod}} automatically defaults 
to {{fail}} policy; users can override via {{camel.security.policy=warn}}
# *Property allowlist*: {{camel.security.allowedProperties}} to exclude 
specific properties from checks
# *Plain-text secret detection*: flags passwords/tokens not using {{RAW()}}, 
{{\{\{vault:...\}\}}}, {{$\{env:...\}}}, or {{\{\{...\}\}}} placeholders
# *Health check*: {{SecurityPolicyHealthCheck}} readiness check reports 
violations at runtime
# *Context plugin*: {{SecurityPolicyResult}} stores violations for programmatic 
access
# *Annotation-driven*: new {{security}} and {{insecureValue}} attributes on 
{{@UriParam}}, {{@Metadata}}, {{@UriPath}} — build tools auto-generate the 
tracking map
# *57+ components annotated* across AWS, Netty, JMS, Paho MQTT, Splunk, Huawei 
Cloud, core SSL
# *Documentation* in {{security.adoc}}

h3. Configuration Example

{code}
# Global policy (default: warn, or fail when profile=prod)
camel.security.policy = fail

# Per-category overrides
camel.security.secretPolicy = fail
camel.security.insecureSslPolicy = fail
camel.security.insecureDevPolicy = warn

# Allow specific properties
camel.security.allowedProperties = camel.component.aws2-s3.trustAllCertificates
{code}

h3. Key Files

- {{core/camel-util/.../SecurityUtils.java}} — detection logic and 
auto-generated security options map
- {{core/camel-util/.../SecurityViolation.java}} — shared violation record
- {{core/camel-main/.../SecurityConfigurationProperties.java}} — policy 
configuration
- {{core/camel-main/.../ProfileConfigurer.java}} — profile-aware defaults
- {{core/camel-main/.../SecurityPolicyResult.java}} — context plugin for 
runtime access
- {{core/camel-health/.../SecurityPolicyHealthCheck.java}} — readiness health 
check
- {{docs/user-manual/.../security.adoc}} — documentation

PR: https://github.com/apache/camel/pull/22269


> Security policy enforcement for insecure configuration at startup
> -----------------------------------------------------------------
>
>                 Key: CAMEL-23250
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23250
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>            Reporter: Guillaume Nodet
>            Assignee: Guillaume Nodet
>            Priority: Major
>             Fix For: 4.20.0
>
>
> Add a security policy enforcement system that detects insecure configuration 
> at startup and warns or prevents the application from starting.
> h3. Security Categories
> || Category || Description || Examples ||
> | {{secret}} | Plain-text passwords/tokens not using secure placeholders | 
> {{camel.ssl.keystorePassword=plaintext}} |
> | {{insecure:ssl}} | Disabled certificate validation or hostname verification 
> | {{trustAllCertificates=true}}, {{hostnameVerification=false}} |
> | {{insecure:serialization}} | Dangerous deserialization of untrusted data | 
> {{allowJavaSerializedObject=true}}, {{transferExchange=true}} |
> | {{insecure:dev}} | Development-only features left enabled | 
> {{devConsoleEnabled=true}}, {{uploadEnabled=true}} |
> h3. Policy Levels
> - *allow* — no warnings, silently allow the configuration
> - *warn* — log a warning at startup (default for dev/test profiles)
> - *fail* — throw an exception and prevent startup (default for prod profile)
> h3. Features
> # *Configurable policies* under {{camel.security.*}} namespace with global 
> and per-category overrides
> # *Profile-aware defaults*: {{camel.main.profile=prod}} automatically 
> defaults to {{fail}} policy; users can override via 
> {{camel.security.policy=warn}}
> # *Property allowlist*: {{camel.security.allowedProperties}} to exclude 
> specific properties from checks
> # *Plain-text secret detection*: flags passwords/tokens not using {{RAW()}}, 
> {{\{\{vault:...\}\}}}, {{$\{env:...\}}}, or {{\{\{...\}\}}} placeholders
> # *Health check*: {{SecurityPolicyHealthCheck}} readiness check reports 
> violations at runtime
> # *Context plugin*: {{SecurityPolicyResult}} stores violations for 
> programmatic access
> # *Annotation-driven*: new {{security}} and {{insecureValue}} attributes on 
> {{@UriParam}}, {{@Metadata}}, {{@UriPath}} — build tools auto-generate the 
> tracking map
> # *Build-time validation*: {{BaseOptionModel.setSecurity()}} validates 
> categories at build time — typos cause an immediate error
> # *73 component files annotated* with {{insecure:ssl}}, 
> {{insecure:serialization}}, {{insecure:dev}} categories
> # *Documentation* in {{proposals/security.adoc}}
> h3. Configuration Example
> {code}
> # Global policy (default: warn, or fail when profile=prod)
> camel.security.policy = fail
> # Per-category overrides
> camel.security.secretPolicy = fail
> camel.security.insecureSslPolicy = fail
> camel.security.insecureDevPolicy = warn
> # Allow specific properties
> camel.security.allowedProperties = 
> camel.component.aws2-s3.trustAllCertificates
> {code}
> h3. Follow-up Work
> # Add {{security = "secret"}} to all remaining {{secret = true}} parameters 
> (~144 component files)
> # Camel Spring Boot — auto-configuration for {{camel.security.*}} properties
> # Camel Quarkus — integration for {{camel.security.*}} properties
> PR: https://github.com/apache/camel/pull/22269



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to