This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 1dc1ccac0402 CAMEL-23767: camel-platform-http-main - warn when
authentication is enabled but no mechanism is configured
1dc1ccac0402 is described below
commit 1dc1ccac0402bf8ed549e3557fc3d9207e4e4c05
Author: Andrea Cosentino <[email protected]>
AuthorDate: Fri Jun 19 14:23:31 2026 +0200
CAMEL-23767: camel-platform-http-main - warn when authentication is enabled
but no mechanism is configured
DefaultMainHttpServerFactory.configureAuthentication wired basic or JWT
authentication
only when a basic-auth properties file or a JWT keystore was configured.
When
authenticationEnabled=true but neither was set, the embedded HTTP server
(and the
management server) started without any authentication and without any
warning,
silently exposing an unprotected server. A clear warning is now logged at
startup in
that case so the misconfiguration is surfaced. The server still starts
(behaviour is
otherwise unchanged), so the change is non-breaking. Includes a log-capture
test and a
4.21 upgrade-guide note.
Closes #24137
---
.../http/main/DefaultMainHttpServerFactory.java | 15 +++++++
...henticationConfigurationMainHttpServerTest.java | 48 ++++++++++++++++++++++
.../test/resources/auth-no-mechanism.properties | 21 ++++++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 7 ++++
4 files changed, 91 insertions(+)
diff --git
a/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java
b/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java
index c995da8a0651..054862843883 100644
---
a/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java
+++
b/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/DefaultMainHttpServerFactory.java
@@ -28,10 +28,14 @@ import org.apache.camel.main.MainHttpServerFactory;
import org.apache.camel.spi.annotations.JdkService;
import org.apache.camel.support.TempDirHelper;
import org.apache.camel.util.ObjectHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
@JdkService(MainConstants.PLATFORM_HTTP_SERVER)
public class DefaultMainHttpServerFactory implements CamelContextAware,
MainHttpServerFactory {
+ private static final Logger LOG =
LoggerFactory.getLogger(DefaultMainHttpServerFactory.class);
+
private static final String DEFAULT_UPLOAD_DIR =
"${java.io.tmpdir}/camel/camel-tmp-#uuid#/";
private CamelContext camelContext;
@@ -118,6 +122,11 @@ public class DefaultMainHttpServerFactory implements
CamelContextAware, MainHttp
ObjectHelper.notNull(configuration.getJwtKeystorePassword(),
"jwtKeyStorePassword");
JWTAuthenticationConfigurer auth = new
JWTAuthenticationConfigurer();
auth.configureAuthentication(server.getConfiguration().getAuthenticationConfig(),
configuration);
+ } else {
+ LOG.warn("Authentication is enabled (authenticationEnabled=true)
but no authentication mechanism is"
+ + " configured: neither a basic-auth properties file
(basicPropertiesFile) nor a JWT keystore"
+ + " (jwtKeystoreType) is set. The HTTP server will start
WITHOUT authentication. Configure an"
+ + " authentication mechanism, or set
authenticationEnabled=false to disable authentication.");
}
}
@@ -131,6 +140,12 @@ public class DefaultMainHttpServerFactory implements
CamelContextAware, MainHttp
ObjectHelper.notNull(configuration.getJwtKeystorePassword(),
"jwtKeyStorePassword");
JWTAuthenticationConfigurer auth = new
JWTAuthenticationConfigurer();
auth.configureAuthentication(server.getConfiguration().getAuthenticationConfig(),
configuration);
+ } else {
+ LOG.warn("Authentication is enabled (authenticationEnabled=true)
but no authentication mechanism is"
+ + " configured: neither a basic-auth properties file
(basicPropertiesFile) nor a JWT keystore"
+ + " (jwtKeystoreType) is set. The HTTP management server
will start WITHOUT authentication."
+ + " Configure an authentication mechanism, or set
authenticationEnabled=false to disable"
+ + " authentication.");
}
}
diff --git
a/components/camel-platform-http-main/src/test/java/org/apache/camel/component/platform/http/main/authentication/AuthenticationConfigurationMainHttpServerTest.java
b/components/camel-platform-http-main/src/test/java/org/apache/camel/component/platform/http/main/authentication/AuthenticationConfigurationMainHttpServerTest.java
index bc35684cc0f8..417f2e4d6be6 100644
---
a/components/camel-platform-http-main/src/test/java/org/apache/camel/component/platform/http/main/authentication/AuthenticationConfigurationMainHttpServerTest.java
+++
b/components/camel-platform-http-main/src/test/java/org/apache/camel/component/platform/http/main/authentication/AuthenticationConfigurationMainHttpServerTest.java
@@ -16,14 +16,31 @@
*/
package org.apache.camel.component.platform.http.main.authentication;
+import java.util.List;
+import java.util.concurrent.CopyOnWriteArrayList;
+
import org.apache.camel.builder.RouteBuilder;
+import
org.apache.camel.component.platform.http.main.DefaultMainHttpServerFactory;
import org.apache.camel.main.Main;
+import org.apache.camel.test.AvailablePortFinder;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.core.LogEvent;
+import org.apache.logging.log4j.core.Logger;
+import org.apache.logging.log4j.core.appender.AbstractAppender;
+import org.apache.logging.log4j.core.config.Property;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
public class AuthenticationConfigurationMainHttpServerTest {
+ @RegisterExtension
+ static AvailablePortFinder.Port port = AvailablePortFinder.find();
+
@Test
public void testIncompleteAuthenticationConfiguration() {
Main main = new Main();
@@ -36,6 +53,37 @@ public class AuthenticationConfigurationMainHttpServerTest {
main.stop();
}
+ @Test
+ public void testAuthenticationEnabledWithoutMechanism() {
+ List<String> warnings = new CopyOnWriteArrayList<>();
+ AbstractAppender appender = new AbstractAppender("CaptureWarn", null,
null, true, Property.EMPTY_ARRAY) {
+ @Override
+ public void append(LogEvent event) {
+ if (event.getLevel() == Level.WARN) {
+ warnings.add(event.getMessage().getFormattedMessage());
+ }
+ }
+ };
+ appender.start();
+ Logger logger = (Logger)
LogManager.getLogger(DefaultMainHttpServerFactory.class);
+ logger.addAppender(appender);
+
+ Main main = MainHttpServerAuthenticationTestSupport.createMain(
+ "auth-no-mechanism.properties", port, new
PlatformHttpRouteBuilder());
+ try {
+ // Unlike an incomplete JWT configuration, a missing mechanism
must not fail startup: the server
+ // still starts (unprotected) so the change stays backward
compatible.
+ assertDoesNotThrow(main::start);
+ // ...but a clear warning must be logged so the misconfiguration
is surfaced rather than silent.
+ assertTrue(warnings.stream().anyMatch(m -> m.contains("no
authentication mechanism is configured")),
+ "Expected a warning about the missing authentication
mechanism, but got: " + warnings);
+ } finally {
+ logger.removeAppender(appender);
+ appender.stop();
+ MainHttpServerAuthenticationTestSupport.stopMain(main);
+ }
+ }
+
private static class PlatformHttpRouteBuilder extends RouteBuilder {
@Override
public void configure() throws Exception {
diff --git
a/components/camel-platform-http-main/src/test/resources/auth-no-mechanism.properties
b/components/camel-platform-http-main/src/test/resources/auth-no-mechanism.properties
new file mode 100644
index 000000000000..05967d8c0aa1
--- /dev/null
+++
b/components/camel-platform-http-main/src/test/resources/auth-no-mechanism.properties
@@ -0,0 +1,21 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+camel.server.enabled=true
+
+# Authentication is enabled but NO mechanism (neither basicPropertiesFile nor
jwtKeystoreType) is configured.
+camel.server.authenticationEnabled=true
+camel.server.authenticationPath=/*
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
index 5c98bca70fa9..70917beafbda 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
@@ -2168,6 +2168,13 @@ for the embedded HTTP server:
Both default to unset. When both are unset, JWT validation behaviour is
unchanged (signature plus the
default `exp` / `nbf` checks).
+Additionally, when `authenticationEnabled=true` but neither a basic-auth
properties file
+(`basicPropertiesFile`) nor a JWT keystore (`jwtKeystoreType`) is configured,
the embedded HTTP server now
+logs a clear warning at startup that it is starting without authentication.
Previously this
+misconfiguration started an unprotected server silently. The server still
starts and the behaviour is
+otherwise unchanged; configure an authentication mechanism or set
`authenticationEnabled=false` to remove
+the warning.
+
=== camel-test
`org.apache.camel.test.AvailablePortFinder.Port` now also implements
