You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "dennis lucero (Jira)" <ji...@apache.org> on 2023/01/20 08:48:00 UTC
[jira] [Created] (CAMEL-18962) AS2Consumer accepts all content-types
dennis lucero created CAMEL-18962:
-------------------------------------
Summary: AS2Consumer accepts all content-types
Key: CAMEL-18962
URL: https://issues.apache.org/jira/browse/CAMEL-18962
Project: Camel
Issue Type: Bug
Components: camel-as2
Reporter: dennis lucero
When setting up an AS2Cosumer (server) security is important. Thus in mind AS2 should use encryption and signing to verify the incoming data before processing it (or supplying the message for further processing). That assures that the originator of the data is a trusted party.
Camel AS2 consumer accepts encrypted and signed data and at least decryption is working.
*Problem*
The problem is that the consumer also accepts unencrypted data. So even if I only want to receive encrpyted data from a trusted party, some third party disguised as the trused party, could send a malicious unencrypted payload and the server would just accept and process it.
For example sending plain data with the content type "application/edifact" is always accepted.
*Possible solution*
The consumer should be configurable what content type is allowed. Also the already existing producer-parameter "as2MessageStructure" may be used for that purpose.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)