You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@camel.apache.org by "dennis lucero (Jira)" <ji...@apache.org> on 2023/01/20 08:48:00 UTC

[jira] [Created] (CAMEL-18962) AS2Consumer accepts all content-types

dennis lucero created CAMEL-18962:
-------------------------------------

             Summary: AS2Consumer accepts all content-types
                 Key: CAMEL-18962
                 URL: https://issues.apache.org/jira/browse/CAMEL-18962
             Project: Camel
          Issue Type: Bug
          Components: camel-as2
            Reporter: dennis lucero


When setting up an AS2Cosumer (server) security is important. Thus in mind AS2 should use encryption and signing to verify the incoming data before processing it (or supplying the message for further processing). That assures that the originator of the data is a trusted party.

Camel AS2 consumer accepts encrypted and signed data and at least decryption is working.

*Problem*

The problem is that the consumer also accepts unencrypted data. So even if I only want to receive encrpyted data from a trusted party, some third party disguised as the trused party, could send a malicious unencrypted payload  and the server would just accept and process it.

For example sending plain data with the content type "application/edifact" is always accepted.

*Possible solution*

The consumer should be configurable what content type is allowed. Also the already existing producer-parameter "as2MessageStructure" may be used for that purpose.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)