Andrea Cosentino created CAMEL-23941:
----------------------------------------
Summary: camel-platform-http-main: fail closed under prod when
auth enabled without mechanism
Key: CAMEL-23941
URL: https://issues.apache.org/jira/browse/CAMEL-23941
Project: Camel
Issue Type: Improvement
Components: camel-platform-http
Reporter: Andrea Cosentino
Follow-up / hardening for CAMEL-23767.
CAMEL-23767 added a startup warning in
{{DefaultMainHttpServerFactory.configureAuthentication}} for the case where
{{camel.server.authenticationEnabled=true}} is set but no authentication
mechanism is configured (neither {{basicPropertiesFile}} nor
{{jwtKeystoreType}}). In that situation the embedded HTTP server — and the
management server — still starts and serves requests without authentication;
only a warning is logged. That behavior was intentionally kept non-breaking for
backward compatibility.
We can make this consistent with Camel's security-policy framework
({{camel.main.profile}}, see {{design/security.adoc}}), which already defaults
production deployments to strict ({{fail}}) enforcement:
* Under the *prod* profile, {{authenticationEnabled=true}} with no mechanism
configured should *fail closed* (throw at startup) instead of starting a server
without authentication.
* Under the *dev* profile and by default (no profile), keep the current
warn-only behavior so existing setups remain backward compatible.
This mirrors how {{ProfileConfigurer}} already switches
{{camel.security.policy}} to {{fail}} under prod, while preserving the
CAMEL-23767 warning for dev.
h3. Suggested implementation
* In {{DefaultMainHttpServerFactory.configureAuthentication(...)}} — both the
{{MainHttpServer}} and {{ManagementHttpServer}} overloads — in the final
{{else}} branch (currently {{LOG.warn}} only): read the active profile via
{{camelContext.getCamelContextExtension().getProfile()}}. If it is
{{prod}}/{{production}}, throw an {{IllegalStateException}} with a clear
message; otherwise retain the existing warning.
* Both overloads currently duplicate the same {{else}} branch — extract a small
shared helper.
* Note: simply marking {{authenticationEnabled}} with {{security =
"insecure:*"}} is not sufficient, because that would also flag the
correctly-configured {{authenticationEnabled=true}} case; the check must be
conditional on "enabled and no mechanism".
h3. Affected classes
*
{{components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java}}
(both {{configureAuthentication}} overloads, ~lines 116-150)
h3. Tests
Extend {{AuthenticationConfigurationMainHttpServerTest}} — under prod, assert
startup throws; under dev/default, keep the existing
{{testAuthenticationEnabledWithoutMechanism}} behavior (starts + warns).
h3. Docs
Update the upgrade-guide note added by CAMEL-23767 to document the new
prod-profile fail-closed behavior. Behavior change under prod → target
main/4.22 only, not a backport.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)