CAMEL-23250: Security policy enforcement with profile-aware defaults

[gnodet]

Summary

Built-in security policy enforcement that detects insecure configuration at startup and either warns or prevents the application from starting.

• 4 security categories: secret (plain-text passwords), insecure:ssl (disabled cert verification), insecure:serialization (Java object deserialization), insecure:dev (dev-only features in prod)
• 3 policy levels: allow (silent), warn (log, default), fail (block startup)
• Profile-aware: prod profile auto-sets policy=fail
• Per-category overrides: e.g. camel.security.insecureSslPolicy=allow while global is fail
• Allowlist: exempt specific properties via camel.security.allowedProperties
• Health check: exposes violations via Camel health check API
• Programmatic API: SecurityPolicyResult accessible as a CamelContext plugin

Commit structure (for easier review)

1. b0834ac Fix missing secret=true annotations — CyberArk authToken, IBM Event Streams eventStreamUsername/eventStreamPassword (2 files)
2. 5c89a07 Security policy enforcement framework — all new classes, tooling, component annotations, tests, docs (90 files)
3. c25dd5c Regenerate catalog and generated files — JSON metadata and endpoint DSL (423 files, reviewers can skip this commit)

Key files to review

Framework core:

• core/camel-util/…/SecurityUtils.java — detection logic + security options map
• core/camel-util/…/SecurityViolation.java — violation record
• core/camel-main/…/SecurityConfigurationProperties.java — camel.security.* config
• core/camel-main/…/SecurityPolicyResult.java — runtime result API
• core/camel-main/…/BaseMainSupport.java — enforcement wiring at startup
• core/camel-main/…/ProfileConfigurer.java — prod profile default

Tooling (annotation → generated map pipeline):

• tooling/spi-annotations/…/UriParam.java — new security() attribute
• tooling/…/UpdateSensitizeHelper.java — generates SecurityUtils.java map

Health check:

• core/camel-health/…/SecurityPolicyHealthCheck.java

Tests & docs:

• core/camel-main/…/MainSecurityPolicyTest.java — 27 tests covering all policy levels, categories, overrides, profiles
• docs/…/security.adoc — user documentation
• docs/…/camel-4x-upgrade-guide-4_19.adoc — upgrade guide entry

Example annotation change (repeated across 60+ components):

• components/camel-aws/…/BedrockAgentConfiguration.java — adds security = "insecure:ssl" to trustAllCertificates

Test plan

• 27 unit tests in MainSecurityPolicyTest (all policy levels, categories, overrides, profiles, allowed properties, placeholder detection)
• 1 unit test in SecurityUtilsTest (plain-text secret detection)
• Build succeeds with mvn install -B -pl core/camel-main -DskipTests -am
• All tests pass with mvn test -B -pl core/camel-main -Dtest=MainSecurityPolicyTest
• Generated files are up to date (no uncommitted changes after build)
• Code formatted with mvn formatter:format impsort:sort

Follow-up ideas

Findings from a security audit that are not covered by this PR but could be addressed in follow-up tickets:

Near-term

1. Infinispan deserialization filter — DefaultExchangeHolderUtils uses ClassLoadingAwareObjectInputStream without JEP-290 setObjectInputFilter(). Should add the same default filter (java.**;org.apache.camel.**;!*) used by SQL/LevelDB/Cassandra/Consul stores.

2. TLS protocol version filtering — Splunk and Paho MQTT expose SSLv3/TLSv1 in their protocol enums. The global SSLContextParameters default filtering only excludes SSL.* regex. Consider also excluding TLSv1 and TLSv1.1 by default.

Medium-term

3. FIPS compliance category — The framework already supports arbitrary categories via resolvePolicy()'s default → null fallback. Adding insecure:fips requires annotating non-FIPS algorithms and adding a fipsPolicy field to SecurityConfigurationProperties. See JIRA comment for a detailed plan.

4. SSRF mitigation — Add an optional URI whitelist mechanism for toD/recipientList dynamic routing. This is an architectural change beyond config-level checking.

5. Expression language sandboxing — OGNL, Groovy, MVEL, SpEL all allow arbitrary code execution. Not config-level (the framework can't catch this), but documenting the risk in security.adoc would help users make informed choices.

Low priority

6. HTTP header CRLF validation — Add header value sanitization in camel-http-common to prevent header injection.

7. MongoDB trust-all TrustManager — SslAwareMongoClient hardcodes a trust-all TrustManager. Not trackable by the annotation framework since it's programmatic, not a @UriParam.

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using build-all, build-dependents, skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.