[
https://issues.apache.org/jira/browse/CAMEL-23941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino reassigned CAMEL-23941:
----------------------------------------
Assignee: Andrea Cosentino
> camel-platform-http-main: fail closed under prod when auth enabled without
> mechanism
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-23941
> URL: https://issues.apache.org/jira/browse/CAMEL-23941
> Project: Camel
> Issue Type: Improvement
> Components: camel-platform-http
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
>
> Follow-up / hardening for CAMEL-23767.
> CAMEL-23767 added a startup warning in
> {{DefaultMainHttpServerFactory.configureAuthentication}} for the case where
> {{camel.server.authenticationEnabled=true}} is set but no authentication
> mechanism is configured (neither {{basicPropertiesFile}} nor
> {{jwtKeystoreType}}). In that situation the embedded HTTP server — and the
> management server — still starts and serves requests without authentication;
> only a warning is logged. That behavior was intentionally kept non-breaking
> for backward compatibility.
> We can make this consistent with Camel's security-policy framework
> ({{camel.main.profile}}, see {{design/security.adoc}}), which already
> defaults production deployments to strict ({{fail}}) enforcement:
> * Under the *prod* profile, {{authenticationEnabled=true}} with no mechanism
> configured should *fail closed* (throw at startup) instead of starting a
> server without authentication.
> * Under the *dev* profile and by default (no profile), keep the current
> warn-only behavior so existing setups remain backward compatible.
> This mirrors how {{ProfileConfigurer}} already switches
> {{camel.security.policy}} to {{fail}} under prod, while preserving the
> CAMEL-23767 warning for dev.
> h3. Suggested implementation
> * In {{DefaultMainHttpServerFactory.configureAuthentication(...)}} — both the
> {{MainHttpServer}} and {{ManagementHttpServer}} overloads — in the final
> {{else}} branch (currently {{LOG.warn}} only): read the active profile via
> {{camelContext.getCamelContextExtension().getProfile()}}. If it is
> {{prod}}/{{production}}, throw an {{IllegalStateException}} with a clear
> message; otherwise retain the existing warning.
> * Both overloads currently duplicate the same {{else}} branch — extract a
> small shared helper.
> * Note: simply marking {{authenticationEnabled}} with {{security =
> "insecure:*"}} is not sufficient, because that would also flag the
> correctly-configured {{authenticationEnabled=true}} case; the check must be
> conditional on "enabled and no mechanism".
> h3. Affected classes
> *
> {{components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java}}
> (both {{configureAuthentication}} overloads, ~lines 116-150)
> h3. Tests
> Extend {{AuthenticationConfigurationMainHttpServerTest}} — under prod, assert
> startup throws; under dev/default, keep the existing
> {{testAuthenticationEnabledWithoutMechanism}} behavior (starts + warns).
> h3. Docs
> Update the upgrade-guide note added by CAMEL-23767 to document the new
> prod-profile fail-closed behavior. Behavior change under prod → target
> main/4.22 only, not a backport.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)