This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 0995b71fed20 CAMEL-23404: Improve SFTP security documentation and add
strictHostKeyChecking policy enforcement (#23143)
0995b71fed20 is described below
commit 0995b71fed20b013081c4819d466ce7d299f55d0
Author: Claus Ibsen <[email protected]>
AuthorDate: Tue May 12 17:17:40 2026 +0200
CAMEL-23404: Improve SFTP security documentation and add
strictHostKeyChecking policy enforcement (#23143)
* CAMEL-23404: Improve SFTP security documentation and add
strictHostKeyChecking policy enforcement
- Added security="insecure:ssl" annotation to strictHostKeyChecking
parameter
- Enhanced parameter description to warn about MITM vulnerability when
disabled
- Added comprehensive Security Best Practices section to sftp-component.adoc
- Documented recommended secure configuration patterns with examples
- Generated metadata now includes security policy enforcement for
strictHostKeyChecking
Signed-off-by: Claus Ibsen <[email protected]>
* CAMEL-23404: Add component-level host key verification options to
SftpComponent
- Added 6 component-level properties for global host key verification
configuration:
* strictHostKeyChecking (with security="insecure:ssl" annotation)
* knownHostsFile
* knownHostsUri
* knownHosts (byte array)
* useUserKnownHostsFile
* autoCreateKnownHostsFile
- Component settings are applied as defaults during endpoint creation
- Endpoint URI parameters can override component-level settings
- Updated documentation with global configuration examples (Java and Spring
Boot)
- Generated component metadata and configurer updated automatically
Signed-off-by: Claus Ibsen <[email protected]>
* CAMEL-23404: Regenerate mina-sftp and sensitive-keys metadata after
BaseSftpConfiguration changes
The full reactor build regenerated:
- mina-sftp component metadata (inherits strictHostKeyChecking security
annotation)
- sensitive-keys catalog (adds knownhosts* fields)
- SensitiveUtils patterns (adds knownhosts* to sensitive key patterns)
These changes were missed in the module-scoped builds and are now included.
Signed-off-by: Claus Ibsen <[email protected]>
---------
Signed-off-by: Claus Ibsen <[email protected]>
---
.../apache/camel/catalog/components/mina-sftp.json | 2 +-
.../org/apache/camel/catalog/components/sftp.json | 10 +-
.../apache/camel/catalog/main/sensitive-keys.json | 3 +
.../file/remote/BaseSftpConfiguration.java | 6 +-
.../file/remote/SftpComponentConfigurer.java | 36 +++++++
.../apache/camel/component/file/remote/sftp.json | 10 +-
.../camel-ftp/src/main/docs/sftp-component.adoc | 75 ++++++++++++++
.../camel/component/file/remote/SftpComponent.java | 110 ++++++++++++++++++++
.../component/file/remote/mina/mina-sftp.json | 2 +-
.../java/org/apache/camel/util/SecurityUtils.java | 1 +
.../java/org/apache/camel/util/SensitiveUtils.java | 6 ++
.../component/dsl/SftpComponentBuilderFactory.java | 111 +++++++++++++++++++++
.../dsl/MinaSftpEndpointBuilderFactory.java | 15 ++-
.../endpoint/dsl/SftpEndpointBuilderFactory.java | 15 ++-
14 files changed, 388 insertions(+), 14 deletions(-)
diff --git
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/mina-sftp.json
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/mina-sftp.json
index b5a57ecac02e..cb5452e3ea58 100644
---
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/mina-sftp.json
+++
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/mina-sftp.json
@@ -184,7 +184,7 @@
"publicKeyAcceptedAlgorithms": { "index": 131, "kind": "parameter",
"displayName": "Public Key Accepted Algorithms", "group": "security", "label":
"security", "required": false, "type": "string", "javaType":
"java.lang.String", "deprecated": false, "autowired": false, "secret": false,
"configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of public key accepted algori [...]
"serverHostKeys": { "index": 132, "kind": "parameter", "displayName":
"Server Host Keys", "group": "security", "label": "security", "required":
false, "type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Set the list of
algorithms supported for the server host key. Some examples include [...]
"serverKeyVerifier": { "index": 133, "kind": "parameter", "displayName":
"Server Key Verifier", "group": "security", "label": "security", "required":
false, "type": "object", "javaType":
"org.apache.sshd.client.keyverifier.ServerKeyVerifier", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Custom ServerKeyVerifier
for host key ver [...]
- "strictHostKeyChecking": { "index": 134, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Sets whether to use str
[...]
+ "strictHostKeyChecking": { "index": 134, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "security": "insecure:ssl", "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "descriptio [...]
"username": { "index": 135, "kind": "parameter", "displayName":
"Username", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Username to use for
login" },
"useUserKnownHostsFile": { "index": 136, "kind": "parameter",
"displayName": "Use User Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "If knownHostFile has not
been explicit configured the [...]
"shuffle": { "index": 137, "kind": "parameter", "displayName": "Shuffle",
"group": "sort", "label": "consumer,sort", "required": false, "type":
"boolean", "javaType": "boolean", "deprecated": false, "autowired": false,
"secret": false, "defaultValue": false, "description": "To shuffle the list of
files (sort in random order)" },
diff --git
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/sftp.json
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/sftp.json
index 5fa1b2c54a38..d5c6d5a26b43 100644
---
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/sftp.json
+++
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/sftp.json
@@ -28,7 +28,13 @@
"lazyStartProducer": { "index": 1, "kind": "property", "displayName":
"Lazy Start Producer", "group": "producer", "label": "producer", "required":
false, "type": "boolean", "javaType": "boolean", "deprecated": false,
"autowired": false, "secret": false, "defaultValue": false, "description":
"Whether the producer should be started lazy (on the first message). By
starting lazy you can use this to allow CamelContext and routes to startup in
situations where a producer may otherwise fail [...]
"autowiredEnabled": { "index": 2, "kind": "property", "displayName":
"Autowired Enabled", "group": "advanced", "label": "advanced", "required":
false, "type": "boolean", "javaType": "boolean", "deprecated": false,
"autowired": false, "secret": false, "defaultValue": true, "description":
"Whether autowiring is enabled. This is used for automatic autowiring options
(the option must be marked as autowired) by looking up in the registry to find
if there is a single instance of matching t [...]
"healthCheckConsumerEnabled": { "index": 3, "kind": "property",
"displayName": "Health Check Consumer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all consumer based health checks
from this component" },
- "healthCheckProducerEnabled": { "index": 4, "kind": "property",
"displayName": "Health Check Producer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all producer based health checks
from this component. Notice: Camel has by default disabled all producer based
health-checks. You can turn on producer [...]
+ "healthCheckProducerEnabled": { "index": 4, "kind": "property",
"displayName": "Health Check Producer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all producer based health checks
from this component. Notice: Camel has by default disabled all producer based
health-checks. You can turn on producer [...]
+ "autoCreateKnownHostsFile": { "index": 5, "kind": "property",
"displayName": "Auto Create Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue":
false, "description": "If knownHostFile does not exist, then attempt to
auto-create the path and file (beware that the file will be created by the
current user of the running Java process, which may not [...]
+ "knownHosts": { "index": 6, "kind": "property", "displayName": "Known
Hosts", "group": "security", "label": "security", "required": false, "type":
"string", "javaType": "byte[]", "deprecated": false, "autowired": false,
"secret": true, "security": "secret", "description": "Sets the known_hosts from
the byte array globally, so that the SFTP endpoints can do host key
verification." },
+ "knownHostsFile": { "index": 7, "kind": "property", "displayName": "Known
Hosts File", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "description": "Sets
the known_hosts file globally, so that the SFTP endpoints can do host key
verification." },
+ "knownHostsUri": { "index": 8, "kind": "property", "displayName": "Known
Hosts Uri", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "description": "Sets
the known_hosts file (loaded from classpath by default) globally, so that the
SFTP endpoints can do host key verification." },
+ "strictHostKeyChecking": { "index": 9, "kind": "property", "displayName":
"Strict Host Key Checking", "group": "security", "label": "security",
"required": false, "type": "enum", "javaType": "java.lang.String", "enum": [
"no", "yes" ], "deprecated": false, "autowired": false, "secret": false,
"security": "insecure:ssl", "defaultValue": "no", "description": "Sets whether
to use strict host key checking globally for all endpoints. Setting this to
'no' (the default) disables host key ve [...]
+ "useUserKnownHostsFile": { "index": 10, "kind": "property", "displayName":
"Use User Known Hosts File", "group": "security", "label": "security",
"required": false, "type": "boolean", "javaType": "boolean", "deprecated":
false, "autowired": false, "secret": false, "defaultValue": true,
"description": "If knownHostFile has not been explicit configured then use the
host file from System.getProperty(user.home)\/.ssh\/known_hosts" }
},
"headers": {
"CamelFileLength": { "index": 0, "kind": "header", "displayName": "",
"group": "consumer", "label": "consumer", "required": false, "javaType":
"long", "deprecated": false, "deprecationNote": "", "autowired": false,
"secret": false, "important": true, "description": "A long value containing the
file size.", "constantName":
"org.apache.camel.component.file.remote.FtpConstants#FILE_LENGTH" },
@@ -183,7 +189,7 @@
"privateKeyUri": { "index": 130, "kind": "parameter", "displayName":
"Private Key Uri", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"deprecationNote": "", "autowired": false, "secret": true, "security":
"secret", "supportFileReference": true, "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set the private key
[...]
"publicKeyAcceptedAlgorithms": { "index": 131, "kind": "parameter",
"displayName": "Public Key Accepted Algorithms", "group": "security", "label":
"security", "required": false, "type": "string", "javaType":
"java.lang.String", "deprecated": false, "autowired": false, "secret": false,
"configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of public key accepted algorithms. If [...]
"serverHostKeys": { "index": 132, "kind": "parameter", "displayName":
"Server Host Keys", "group": "security", "label": "security", "required":
false, "type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of algorithms supported for the server host key. Some examples in [...]
- "strictHostKeyChecking": { "index": 133, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Sets whether to use
strict host [...]
+ "strictHostKeyChecking": { "index": 133, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "security": "insecure:ssl", "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Sets [...]
"username": { "index": 134, "kind": "parameter", "displayName":
"Username", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Username to use for
login" },
"useUserKnownHostsFile": { "index": 135, "kind": "parameter",
"displayName": "Use User Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "If knownHostFile has not
been explicit configured then use the [...]
"shuffle": { "index": 136, "kind": "parameter", "displayName": "Shuffle",
"group": "sort", "label": "consumer,sort", "required": false, "type":
"boolean", "javaType": "boolean", "deprecated": false, "autowired": false,
"secret": false, "defaultValue": false, "description": "To shuffle the list of
files (sort in random order)" },
diff --git
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/sensitive-keys.json
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/sensitive-keys.json
index e4d88e306b6f..4d812647e3eb 100644
---
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/sensitive-keys.json
+++
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/sensitive-keys.json
@@ -34,6 +34,9 @@
"keypassword",
"keystorePassword",
"keystorepassword",
+ "knownhosts",
+ "knownhostsfile",
+ "knownhostsuri",
"oauthclientid",
"oauthclientsecret",
"oauthtoken",
diff --git
a/components/camel-ftp-common/src/main/java/org/apache/camel/component/file/remote/BaseSftpConfiguration.java
b/components/camel-ftp-common/src/main/java/org/apache/camel/component/file/remote/BaseSftpConfiguration.java
index 3bda3e50da4f..1042f63776c1 100644
---
a/components/camel-ftp-common/src/main/java/org/apache/camel/component/file/remote/BaseSftpConfiguration.java
+++
b/components/camel-ftp-common/src/main/java/org/apache/camel/component/file/remote/BaseSftpConfiguration.java
@@ -47,8 +47,10 @@ public abstract class BaseSftpConfiguration extends
RemoteFileConfiguration {
@UriParam(label = "security", security = "secret",
description = "Sets the known_hosts from the byte array, so that
the SFTP endpoint can do host key verification.")
private byte[] knownHosts;
- @UriParam(defaultValue = "no", enums = "no,yes", label = "security",
- description = "Sets whether to use strict host key checking.")
+ @UriParam(defaultValue = "no", enums = "no,yes", label = "security",
security = "insecure:ssl",
+ description = "Sets whether to use strict host key checking. "
+ + "Setting this to 'no' (the default) disables
host key verification and makes SFTP connections "
+ + "vulnerable to man-in-the-middle attacks. Use
'yes' in production environments.")
private String strictHostKeyChecking = "no";
@UriParam(label = "security", security = "secret",
description = "Set the private key file so that the SFTP
endpoint can do private key verification.")
diff --git
a/components/camel-ftp/src/generated/java/org/apache/camel/component/file/remote/SftpComponentConfigurer.java
b/components/camel-ftp/src/generated/java/org/apache/camel/component/file/remote/SftpComponentConfigurer.java
index bccd1a2a909a..44198c8301f4 100644
---
a/components/camel-ftp/src/generated/java/org/apache/camel/component/file/remote/SftpComponentConfigurer.java
+++
b/components/camel-ftp/src/generated/java/org/apache/camel/component/file/remote/SftpComponentConfigurer.java
@@ -23,6 +23,8 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
public boolean configure(CamelContext camelContext, Object obj, String
name, Object value, boolean ignoreCase) {
SftpComponent target = (SftpComponent) obj;
switch (ignoreCase ? name.toLowerCase() : name) {
+ case "autocreateknownhostsfile":
+ case "autoCreateKnownHostsFile":
target.setAutoCreateKnownHostsFile(property(camelContext, boolean.class,
value)); return true;
case "autowiredenabled":
case "autowiredEnabled":
target.setAutowiredEnabled(property(camelContext, boolean.class, value));
return true;
case "bridgeerrorhandler":
@@ -31,8 +33,18 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
case "healthCheckConsumerEnabled":
target.setHealthCheckConsumerEnabled(property(camelContext, boolean.class,
value)); return true;
case "healthcheckproducerenabled":
case "healthCheckProducerEnabled":
target.setHealthCheckProducerEnabled(property(camelContext, boolean.class,
value)); return true;
+ case "knownhosts":
+ case "knownHosts": target.setKnownHosts(property(camelContext,
byte[].class, value)); return true;
+ case "knownhostsfile":
+ case "knownHostsFile": target.setKnownHostsFile(property(camelContext,
java.lang.String.class, value)); return true;
+ case "knownhostsuri":
+ case "knownHostsUri": target.setKnownHostsUri(property(camelContext,
java.lang.String.class, value)); return true;
case "lazystartproducer":
case "lazyStartProducer":
target.setLazyStartProducer(property(camelContext, boolean.class, value));
return true;
+ case "stricthostkeychecking":
+ case "strictHostKeyChecking":
target.setStrictHostKeyChecking(property(camelContext, java.lang.String.class,
value)); return true;
+ case "useuserknownhostsfile":
+ case "useUserKnownHostsFile":
target.setUseUserKnownHostsFile(property(camelContext, boolean.class, value));
return true;
default: return false;
}
}
@@ -40,6 +52,8 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
@Override
public Class<?> getOptionType(String name, boolean ignoreCase) {
switch (ignoreCase ? name.toLowerCase() : name) {
+ case "autocreateknownhostsfile":
+ case "autoCreateKnownHostsFile": return boolean.class;
case "autowiredenabled":
case "autowiredEnabled": return boolean.class;
case "bridgeerrorhandler":
@@ -48,8 +62,18 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
case "healthCheckConsumerEnabled": return boolean.class;
case "healthcheckproducerenabled":
case "healthCheckProducerEnabled": return boolean.class;
+ case "knownhosts":
+ case "knownHosts": return byte[].class;
+ case "knownhostsfile":
+ case "knownHostsFile": return java.lang.String.class;
+ case "knownhostsuri":
+ case "knownHostsUri": return java.lang.String.class;
case "lazystartproducer":
case "lazyStartProducer": return boolean.class;
+ case "stricthostkeychecking":
+ case "strictHostKeyChecking": return java.lang.String.class;
+ case "useuserknownhostsfile":
+ case "useUserKnownHostsFile": return boolean.class;
default: return null;
}
}
@@ -58,6 +82,8 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
public Object getOptionValue(Object obj, String name, boolean ignoreCase) {
SftpComponent target = (SftpComponent) obj;
switch (ignoreCase ? name.toLowerCase() : name) {
+ case "autocreateknownhostsfile":
+ case "autoCreateKnownHostsFile": return
target.isAutoCreateKnownHostsFile();
case "autowiredenabled":
case "autowiredEnabled": return target.isAutowiredEnabled();
case "bridgeerrorhandler":
@@ -66,8 +92,18 @@ public class SftpComponentConfigurer extends
PropertyConfigurerSupport implement
case "healthCheckConsumerEnabled": return
target.isHealthCheckConsumerEnabled();
case "healthcheckproducerenabled":
case "healthCheckProducerEnabled": return
target.isHealthCheckProducerEnabled();
+ case "knownhosts":
+ case "knownHosts": return target.getKnownHosts();
+ case "knownhostsfile":
+ case "knownHostsFile": return target.getKnownHostsFile();
+ case "knownhostsuri":
+ case "knownHostsUri": return target.getKnownHostsUri();
case "lazystartproducer":
case "lazyStartProducer": return target.isLazyStartProducer();
+ case "stricthostkeychecking":
+ case "strictHostKeyChecking": return target.getStrictHostKeyChecking();
+ case "useuserknownhostsfile":
+ case "useUserKnownHostsFile": return target.isUseUserKnownHostsFile();
default: return null;
}
}
diff --git
a/components/camel-ftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/sftp.json
b/components/camel-ftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/sftp.json
index 5fa1b2c54a38..d5c6d5a26b43 100644
---
a/components/camel-ftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/sftp.json
+++
b/components/camel-ftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/sftp.json
@@ -28,7 +28,13 @@
"lazyStartProducer": { "index": 1, "kind": "property", "displayName":
"Lazy Start Producer", "group": "producer", "label": "producer", "required":
false, "type": "boolean", "javaType": "boolean", "deprecated": false,
"autowired": false, "secret": false, "defaultValue": false, "description":
"Whether the producer should be started lazy (on the first message). By
starting lazy you can use this to allow CamelContext and routes to startup in
situations where a producer may otherwise fail [...]
"autowiredEnabled": { "index": 2, "kind": "property", "displayName":
"Autowired Enabled", "group": "advanced", "label": "advanced", "required":
false, "type": "boolean", "javaType": "boolean", "deprecated": false,
"autowired": false, "secret": false, "defaultValue": true, "description":
"Whether autowiring is enabled. This is used for automatic autowiring options
(the option must be marked as autowired) by looking up in the registry to find
if there is a single instance of matching t [...]
"healthCheckConsumerEnabled": { "index": 3, "kind": "property",
"displayName": "Health Check Consumer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all consumer based health checks
from this component" },
- "healthCheckProducerEnabled": { "index": 4, "kind": "property",
"displayName": "Health Check Producer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all producer based health checks
from this component. Notice: Camel has by default disabled all producer based
health-checks. You can turn on producer [...]
+ "healthCheckProducerEnabled": { "index": 4, "kind": "property",
"displayName": "Health Check Producer Enabled", "group": "health", "label":
"health", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"description": "Used for enabling or disabling all producer based health checks
from this component. Notice: Camel has by default disabled all producer based
health-checks. You can turn on producer [...]
+ "autoCreateKnownHostsFile": { "index": 5, "kind": "property",
"displayName": "Auto Create Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue":
false, "description": "If knownHostFile does not exist, then attempt to
auto-create the path and file (beware that the file will be created by the
current user of the running Java process, which may not [...]
+ "knownHosts": { "index": 6, "kind": "property", "displayName": "Known
Hosts", "group": "security", "label": "security", "required": false, "type":
"string", "javaType": "byte[]", "deprecated": false, "autowired": false,
"secret": true, "security": "secret", "description": "Sets the known_hosts from
the byte array globally, so that the SFTP endpoints can do host key
verification." },
+ "knownHostsFile": { "index": 7, "kind": "property", "displayName": "Known
Hosts File", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "description": "Sets
the known_hosts file globally, so that the SFTP endpoints can do host key
verification." },
+ "knownHostsUri": { "index": 8, "kind": "property", "displayName": "Known
Hosts Uri", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "description": "Sets
the known_hosts file (loaded from classpath by default) globally, so that the
SFTP endpoints can do host key verification." },
+ "strictHostKeyChecking": { "index": 9, "kind": "property", "displayName":
"Strict Host Key Checking", "group": "security", "label": "security",
"required": false, "type": "enum", "javaType": "java.lang.String", "enum": [
"no", "yes" ], "deprecated": false, "autowired": false, "secret": false,
"security": "insecure:ssl", "defaultValue": "no", "description": "Sets whether
to use strict host key checking globally for all endpoints. Setting this to
'no' (the default) disables host key ve [...]
+ "useUserKnownHostsFile": { "index": 10, "kind": "property", "displayName":
"Use User Known Hosts File", "group": "security", "label": "security",
"required": false, "type": "boolean", "javaType": "boolean", "deprecated":
false, "autowired": false, "secret": false, "defaultValue": true,
"description": "If knownHostFile has not been explicit configured then use the
host file from System.getProperty(user.home)\/.ssh\/known_hosts" }
},
"headers": {
"CamelFileLength": { "index": 0, "kind": "header", "displayName": "",
"group": "consumer", "label": "consumer", "required": false, "javaType":
"long", "deprecated": false, "deprecationNote": "", "autowired": false,
"secret": false, "important": true, "description": "A long value containing the
file size.", "constantName":
"org.apache.camel.component.file.remote.FtpConstants#FILE_LENGTH" },
@@ -183,7 +189,7 @@
"privateKeyUri": { "index": 130, "kind": "parameter", "displayName":
"Private Key Uri", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"deprecationNote": "", "autowired": false, "secret": true, "security":
"secret", "supportFileReference": true, "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set the private key
[...]
"publicKeyAcceptedAlgorithms": { "index": 131, "kind": "parameter",
"displayName": "Public Key Accepted Algorithms", "group": "security", "label":
"security", "required": false, "type": "string", "javaType":
"java.lang.String", "deprecated": false, "autowired": false, "secret": false,
"configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of public key accepted algorithms. If [...]
"serverHostKeys": { "index": 132, "kind": "parameter", "displayName":
"Server Host Keys", "group": "security", "label": "security", "required":
false, "type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of algorithms supported for the server host key. Some examples in [...]
- "strictHostKeyChecking": { "index": 133, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Sets whether to use
strict host [...]
+ "strictHostKeyChecking": { "index": 133, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "security": "insecure:ssl", "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Sets [...]
"username": { "index": 134, "kind": "parameter", "displayName":
"Username", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "Username to use for
login" },
"useUserKnownHostsFile": { "index": 135, "kind": "parameter",
"displayName": "Use User Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"configurationClass":
"org.apache.camel.component.file.remote.SftpConfiguration",
"configurationField": "configuration", "description": "If knownHostFile has not
been explicit configured then use the [...]
"shuffle": { "index": 136, "kind": "parameter", "displayName": "Shuffle",
"group": "sort", "label": "consumer,sort", "required": false, "type":
"boolean", "javaType": "boolean", "deprecated": false, "autowired": false,
"secret": false, "defaultValue": false, "description": "To shuffle the list of
files (sort in random order)" },
diff --git a/components/camel-ftp/src/main/docs/sftp-component.adoc
b/components/camel-ftp/src/main/docs/sftp-component.adoc
index fc11e1728a56..73506836b7aa 100644
--- a/components/camel-ftp/src/main/docs/sftp-component.adoc
+++ b/components/camel-ftp/src/main/docs/sftp-component.adoc
@@ -38,6 +38,81 @@ include::partial$component-endpoint-headers.adoc[]
== Usage
+=== Security Best Practices: Host Key Verification
+
+WARNING: By default, the SFTP component has `strictHostKeyChecking=no`, which
disables host key verification and makes connections vulnerable to
man-in-the-middle (MITM) attacks. For production environments, you should
enable strict host key checking to ensure you are connecting to the expected
server.
+
+==== Global Configuration (Component Level)
+
+You can configure host key verification settings globally on the SFTP
component, which will apply to all SFTP endpoints unless overridden at the
endpoint level:
+
+[source,java]
+----
+// Configure component for all SFTP endpoints
+SftpComponent sftp = context.getComponent("sftp", SftpComponent.class);
+sftp.setStrictHostKeyChecking("yes");
+sftp.setKnownHostsFile("/path/to/known_hosts");
+
+// All endpoints will inherit these settings
+from("sftp://host1/path1?username=user1&password=secret1";)
+ .to("direct:result");
+
+from("sftp://host2/path2?username=user2&password=secret2";)
+ .to("direct:result");
+----
+
+Or with application.properties configuration:
+
+[source,properties]
+----
+camel.component.sftp.strict-host-key-checking=yes
+camel.component.sftp.known-hosts-file=/path/to/known_hosts
+----
+
+==== Per-Endpoint Configuration
+
+Host key verification prevents MITM attacks by verifying the server's host key
against a known list of trusted keys. When `strictHostKeyChecking=yes` is
enabled, the SFTP client will reject connections to servers whose host key is
not in the known hosts file.
+
+Endpoint-level configurations will override component-level settings. This
allows you to set secure defaults globally while making exceptions for specific
endpoints if needed.
+
+To enable strict host key checking at the endpoint level, set
`strictHostKeyChecking=yes` and provide a known hosts file:
+
+[source,java]
+----
+from("sftp://host:22/path";
+ + "?username=myuser"
+ + "&password=secret"
+ + "&knownHostsFile=/path/to/known_hosts"
+ + "&strictHostKeyChecking=yes")
+ .to("direct:result");
+----
+
+Alternatively, load the known hosts from the classpath:
+
+[source,java]
+----
+from("sftp://host:22/path";
+ + "?username=myuser"
+ + "&privateKeyFile=/path/to/id_rsa"
+ + "&knownHostsUri=classpath:known_hosts"
+ + "&strictHostKeyChecking=yes")
+ .to("direct:result");
+----
+
+If you do not have a known hosts file, you can create one by connecting to the
server using the `ssh` command, which will add the host key to
`~/.ssh/known_hosts`. By default, the SFTP component will use this file if
`useUserKnownHostsFile=true` (which is the default).
+
+[source,java]
+----
+// Uses ~/.ssh/known_hosts by default
+from("sftp://host:22/path";
+ + "?username=myuser"
+ + "&privateKeyFile=/path/to/id_rsa"
+ + "&strictHostKeyChecking=yes")
+ .to("direct:result");
+----
+
+NOTE: When `strictHostKeyChecking=yes` is enabled, Camel's security policy
enforcement framework will not flag this as a security violation. The default
`strictHostKeyChecking=no` may trigger warnings or failures depending on your
configured security policy.
+
=== OpenSSH Certificate Authentication
Camel supports OpenSSH certificate-based authentication for SFTP connections,
where a user's public key is signed by a Certificate Authority (CA) rather than
being individually authorized on the server. This is common in enterprise
environments using tools like HashiCorp Vault or custom CA infrastructure.
diff --git
a/components/camel-ftp/src/main/java/org/apache/camel/component/file/remote/SftpComponent.java
b/components/camel-ftp/src/main/java/org/apache/camel/component/file/remote/SftpComponent.java
index 7024dbc22834..1e0f3dc7e35b 100644
---
a/components/camel-ftp/src/main/java/org/apache/camel/component/file/remote/SftpComponent.java
+++
b/components/camel-ftp/src/main/java/org/apache/camel/component/file/remote/SftpComponent.java
@@ -25,6 +25,7 @@ import org.apache.camel.CamelContext;
import org.apache.camel.api.management.ManagedOperation;
import org.apache.camel.api.management.ManagedResource;
import org.apache.camel.component.file.GenericFileEndpoint;
+import org.apache.camel.spi.Metadata;
import org.apache.camel.spi.annotations.Component;
import org.apache.camel.util.StringHelper;
@@ -35,6 +36,27 @@ import org.apache.camel.util.StringHelper;
@ManagedResource(description = "Managed SFTP Component")
public class SftpComponent extends RemoteFileComponent<SftpRemoteFile> {
+ @Metadata(label = "security", defaultValue = "no", enums = "no,yes",
security = "insecure:ssl",
+ description = "Sets whether to use strict host key checking
globally for all endpoints. "
+ + "Setting this to 'no' (the default) disables
host key verification and makes SFTP connections "
+ + "vulnerable to man-in-the-middle attacks. Use
'yes' in production environments.")
+ private String strictHostKeyChecking = "no";
+ @Metadata(label = "security", security = "secret",
+ description = "Sets the known_hosts file globally, so that the
SFTP endpoints can do host key verification.")
+ private String knownHostsFile;
+ @Metadata(label = "security", security = "secret",
+ description = "Sets the known_hosts file (loaded from classpath
by default) globally, so that the SFTP endpoints can do host key verification.")
+ private String knownHostsUri;
+ @Metadata(label = "security", security = "secret",
+ description = "Sets the known_hosts from the byte array
globally, so that the SFTP endpoints can do host key verification.")
+ private byte[] knownHosts;
+ @Metadata(label = "security", defaultValue = "true",
+ description = "If knownHostFile has not been explicit configured
then use the host file from System.getProperty(user.home)/.ssh/known_hosts")
+ private boolean useUserKnownHostsFile = true;
+ @Metadata(label = "security", defaultValue = "false",
+ description = "If knownHostFile does not exist, then attempt to
auto-create the path and file (beware that the file will be created by the
current user of the running Java process, which may not have file permission).")
+ private boolean autoCreateKnownHostsFile;
+
public SftpComponent() {
}
@@ -57,6 +79,23 @@ public class SftpComponent extends
RemoteFileComponent<SftpRemoteFile> {
// customize its own version
SftpConfiguration config = new SftpConfiguration(new URI(baseUri));
+ // apply component-level host key verification settings as defaults
+ // (endpoint URI parameters will override these)
+ if (strictHostKeyChecking != null) {
+ config.setStrictHostKeyChecking(strictHostKeyChecking);
+ }
+ if (knownHostsFile != null) {
+ config.setKnownHostsFile(knownHostsFile);
+ }
+ if (knownHostsUri != null) {
+ config.setKnownHostsUri(knownHostsUri);
+ }
+ if (knownHosts != null) {
+ config.setKnownHosts(knownHosts);
+ }
+ config.setUseUserKnownHostsFile(useUserKnownHostsFile);
+ config.setAutoCreateKnownHostsFile(autoCreateKnownHostsFile);
+
FtpUtils.ensureRelativeFtpDirectory(this, config);
return new SftpEndpoint(uri, this, config);
@@ -67,6 +106,77 @@ public class SftpComponent extends
RemoteFileComponent<SftpRemoteFile> {
// noop
}
+ public String getStrictHostKeyChecking() {
+ return strictHostKeyChecking;
+ }
+
+ /**
+ * Sets whether to use strict host key checking globally for all
endpoints. Setting this to 'no' (the default)
+ * disables host key verification and makes SFTP connections vulnerable to
man-in-the-middle attacks. Use 'yes' in
+ * production environments.
+ */
+ public void setStrictHostKeyChecking(String strictHostKeyChecking) {
+ this.strictHostKeyChecking = strictHostKeyChecking;
+ }
+
+ public String getKnownHostsFile() {
+ return knownHostsFile;
+ }
+
+ /**
+ * Sets the known_hosts file globally, so that the SFTP endpoints can do
host key verification.
+ */
+ public void setKnownHostsFile(String knownHostsFile) {
+ this.knownHostsFile = knownHostsFile;
+ }
+
+ public String getKnownHostsUri() {
+ return knownHostsUri;
+ }
+
+ /**
+ * Sets the known_hosts file (loaded from classpath by default) globally,
so that the SFTP endpoints can do host key
+ * verification.
+ */
+ public void setKnownHostsUri(String knownHostsUri) {
+ this.knownHostsUri = knownHostsUri;
+ }
+
+ public byte[] getKnownHosts() {
+ return knownHosts;
+ }
+
+ /**
+ * Sets the known_hosts from the byte array globally, so that the SFTP
endpoints can do host key verification.
+ */
+ public void setKnownHosts(byte[] knownHosts) {
+ this.knownHosts = knownHosts;
+ }
+
+ public boolean isUseUserKnownHostsFile() {
+ return useUserKnownHostsFile;
+ }
+
+ /**
+ * If knownHostFile has not been explicit configured then use the host
file from
+ * System.getProperty(user.home)/.ssh/known_hosts
+ */
+ public void setUseUserKnownHostsFile(boolean useUserKnownHostsFile) {
+ this.useUserKnownHostsFile = useUserKnownHostsFile;
+ }
+
+ public boolean isAutoCreateKnownHostsFile() {
+ return autoCreateKnownHostsFile;
+ }
+
+ /**
+ * If knownHostFile does not exist, then attempt to auto-create the path
and file (beware that the file will be
+ * created by the current user of the running Java process, which may not
have file permission).
+ */
+ public void setAutoCreateKnownHostsFile(boolean autoCreateKnownHostsFile) {
+ this.autoCreateKnownHostsFile = autoCreateKnownHostsFile;
+ }
+
@ManagedOperation(description = "Dump JSCH Configuration")
public String dumpConfiguration() {
StringBuilder sb = new StringBuilder();
diff --git
a/components/camel-mina-sftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/mina/mina-sftp.json
b/components/camel-mina-sftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/mina/mina-sftp.json
index b5a57ecac02e..cb5452e3ea58 100644
---
a/components/camel-mina-sftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/mina/mina-sftp.json
+++
b/components/camel-mina-sftp/src/generated/resources/META-INF/org/apache/camel/component/file/remote/mina/mina-sftp.json
@@ -184,7 +184,7 @@
"publicKeyAcceptedAlgorithms": { "index": 131, "kind": "parameter",
"displayName": "Public Key Accepted Algorithms", "group": "security", "label":
"security", "required": false, "type": "string", "javaType":
"java.lang.String", "deprecated": false, "autowired": false, "secret": false,
"configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Set a comma separated
list of public key accepted algori [...]
"serverHostKeys": { "index": 132, "kind": "parameter", "displayName":
"Server Host Keys", "group": "security", "label": "security", "required":
false, "type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Set the list of
algorithms supported for the server host key. Some examples include [...]
"serverKeyVerifier": { "index": 133, "kind": "parameter", "displayName":
"Server Key Verifier", "group": "security", "label": "security", "required":
false, "type": "object", "javaType":
"org.apache.sshd.client.keyverifier.ServerKeyVerifier", "deprecated": false,
"autowired": false, "secret": false, "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Custom ServerKeyVerifier
for host key ver [...]
- "strictHostKeyChecking": { "index": 134, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Sets whether to use str
[...]
+ "strictHostKeyChecking": { "index": 134, "kind": "parameter",
"displayName": "Strict Host Key Checking", "group": "security", "label":
"security", "required": false, "type": "enum", "javaType": "java.lang.String",
"enum": [ "no", "yes" ], "deprecated": false, "autowired": false, "secret":
false, "security": "insecure:ssl", "defaultValue": "no", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "descriptio [...]
"username": { "index": 135, "kind": "parameter", "displayName":
"Username", "group": "security", "label": "security", "required": false,
"type": "string", "javaType": "java.lang.String", "deprecated": false,
"autowired": false, "secret": true, "security": "secret", "configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "Username to use for
login" },
"useUserKnownHostsFile": { "index": 136, "kind": "parameter",
"displayName": "Use User Known Hosts File", "group": "security", "label":
"security", "required": false, "type": "boolean", "javaType": "boolean",
"deprecated": false, "autowired": false, "secret": false, "defaultValue": true,
"configurationClass":
"org.apache.camel.component.file.remote.mina.MinaSftpConfiguration",
"configurationField": "configuration", "description": "If knownHostFile has not
been explicit configured the [...]
"shuffle": { "index": 137, "kind": "parameter", "displayName": "Shuffle",
"group": "sort", "label": "consumer,sort", "required": false, "type":
"boolean", "javaType": "boolean", "deprecated": false, "autowired": false,
"secret": false, "defaultValue": false, "description": "To shuffle the list of
files (sort in random order)" },
diff --git
a/core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java
b/core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java
index 11e6c54576f1..f4674f08e611 100644
--- a/core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java
+++ b/core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java
@@ -66,6 +66,7 @@ public final class SecurityUtils {
map.put("ignoresslverification", new SecurityOption(INSECURE_SSL,
"true"));
map.put("objectmessageenabled", new
SecurityOption(INSECURE_SERIALIZATION, "true"));
map.put("sendenabled", new SecurityOption(INSECURE_DEV, "true"));
+ map.put("stricthostkeychecking", new SecurityOption(INSECURE_SSL, ""));
map.put("transferexception", new
SecurityOption(INSECURE_SERIALIZATION, "true"));
map.put("transferexchange", new SecurityOption(INSECURE_SERIALIZATION,
"true"));
map.put("trustallcertificates", new SecurityOption(INSECURE_SSL,
"true"));
diff --git
a/core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
b/core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
index 71d97a1cde8b..1edc41b04643 100644
--- a/core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
+++ b/core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
@@ -63,6 +63,9 @@ public final class SensitiveUtils {
"keypassword",
"keystorePassword",
"keystorepassword",
+ "knownhosts",
+ "knownhostsfile",
+ "knownhostsuri",
"oauthclientid",
"oauthclientsecret",
"oauthtoken",
@@ -155,6 +158,9 @@ public final class SensitiveUtils {
+ "|\\Qkeypassword\\E"
+ "|\\QkeystorePassword\\E"
+ "|\\Qkeystorepassword\\E"
+ + "|\\Qknownhosts\\E"
+ + "|\\Qknownhostsfile\\E"
+ + "|\\Qknownhostsuri\\E"
+ "|\\Qoauthclientid\\E"
+
"|\\Qoauthclientsecret\\E"
+ "|\\Qoauthtoken\\E"
diff --git
a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/SftpComponentBuilderFactory.java
b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/SftpComponentBuilderFactory.java
index f752b3730a65..09d87a3e8c01 100644
---
a/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/SftpComponentBuilderFactory.java
+++
b/dsl/camel-componentdsl/src/generated/java/org/apache/camel/builder/component/dsl/SftpComponentBuilderFactory.java
@@ -162,6 +162,111 @@ public interface SftpComponentBuilderFactory {
doSetProperty("healthCheckProducerEnabled",
healthCheckProducerEnabled);
return this;
}
+
+
+ /**
+ * If knownHostFile does not exist, then attempt to auto-create the
path
+ * and file (beware that the file will be created by the current user
of
+ * the running Java process, which may not have file permission).
+ *
+ * The option is a: <code>boolean</code> type.
+ *
+ * Default: false
+ * Group: security
+ *
+ * @param autoCreateKnownHostsFile the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder autoCreateKnownHostsFile(boolean
autoCreateKnownHostsFile) {
+ doSetProperty("autoCreateKnownHostsFile",
autoCreateKnownHostsFile);
+ return this;
+ }
+
+ /**
+ * Sets the known_hosts from the byte array globally, so that the SFTP
+ * endpoints can do host key verification.
+ *
+ * The option is a: <code>byte[]</code> type.
+ *
+ * Group: security
+ *
+ * @param knownHosts the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder knownHosts(byte[] knownHosts) {
+ doSetProperty("knownHosts", knownHosts);
+ return this;
+ }
+
+ /**
+ * Sets the known_hosts file globally, so that the SFTP endpoints can
do
+ * host key verification.
+ *
+ * The option is a: <code>java.lang.String</code> type.
+ *
+ * Group: security
+ *
+ * @param knownHostsFile the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder knownHostsFile(java.lang.String
knownHostsFile) {
+ doSetProperty("knownHostsFile", knownHostsFile);
+ return this;
+ }
+
+ /**
+ * Sets the known_hosts file (loaded from classpath by default)
+ * globally, so that the SFTP endpoints can do host key verification.
+ *
+ * The option is a: <code>java.lang.String</code> type.
+ *
+ * Group: security
+ *
+ * @param knownHostsUri the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder knownHostsUri(java.lang.String
knownHostsUri) {
+ doSetProperty("knownHostsUri", knownHostsUri);
+ return this;
+ }
+
+
+ /**
+ * Sets whether to use strict host key checking globally for all
+ * endpoints. Setting this to 'no' (the default) disables host key
+ * verification and makes SFTP connections vulnerable to
+ * man-in-the-middle attacks. Use 'yes' in production environments.
+ *
+ * The option is a: <code>java.lang.String</code> type.
+ *
+ * Default: no
+ * Group: security
+ *
+ * @param strictHostKeyChecking the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder strictHostKeyChecking(java.lang.String
strictHostKeyChecking) {
+ doSetProperty("strictHostKeyChecking", strictHostKeyChecking);
+ return this;
+ }
+
+
+ /**
+ * If knownHostFile has not been explicit configured then use the host
+ * file from System.getProperty(user.home)/.ssh/known_hosts.
+ *
+ * The option is a: <code>boolean</code> type.
+ *
+ * Default: true
+ * Group: security
+ *
+ * @param useUserKnownHostsFile the value to set
+ * @return the dsl builder
+ */
+ default SftpComponentBuilder useUserKnownHostsFile(boolean
useUserKnownHostsFile) {
+ doSetProperty("useUserKnownHostsFile", useUserKnownHostsFile);
+ return this;
+ }
}
class SftpComponentBuilderImpl
@@ -182,6 +287,12 @@ public interface SftpComponentBuilderFactory {
case "autowiredEnabled": ((SftpComponent)
component).setAutowiredEnabled((boolean) value); return true;
case "healthCheckConsumerEnabled": ((SftpComponent)
component).setHealthCheckConsumerEnabled((boolean) value); return true;
case "healthCheckProducerEnabled": ((SftpComponent)
component).setHealthCheckProducerEnabled((boolean) value); return true;
+ case "autoCreateKnownHostsFile": ((SftpComponent)
component).setAutoCreateKnownHostsFile((boolean) value); return true;
+ case "knownHosts": ((SftpComponent)
component).setKnownHosts((byte[]) value); return true;
+ case "knownHostsFile": ((SftpComponent)
component).setKnownHostsFile((java.lang.String) value); return true;
+ case "knownHostsUri": ((SftpComponent)
component).setKnownHostsUri((java.lang.String) value); return true;
+ case "strictHostKeyChecking": ((SftpComponent)
component).setStrictHostKeyChecking((java.lang.String) value); return true;
+ case "useUserKnownHostsFile": ((SftpComponent)
component).setUseUserKnownHostsFile((boolean) value); return true;
default: return false;
}
}
diff --git
a/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/MinaSftpEndpointBuilderFactory.java
b/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/MinaSftpEndpointBuilderFactory.java
index ff707ddf475f..2efbd7c50151 100644
---
a/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/MinaSftpEndpointBuilderFactory.java
+++
b/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/MinaSftpEndpointBuilderFactory.java
@@ -2458,7 +2458,10 @@ public interface MinaSftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
@@ -4531,7 +4534,10 @@ public interface MinaSftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
@@ -6157,7 +6163,10 @@ public interface MinaSftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
diff --git
a/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/SftpEndpointBuilderFactory.java
b/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/SftpEndpointBuilderFactory.java
index ae934575ffda..ebefacfe2f40 100644
---
a/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/SftpEndpointBuilderFactory.java
+++
b/dsl/camel-endpointdsl/src/generated/java/org/apache/camel/builder/endpoint/dsl/SftpEndpointBuilderFactory.java
@@ -2472,7 +2472,10 @@ public interface SftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
@@ -4518,7 +4521,10 @@ public interface SftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
@@ -6117,7 +6123,10 @@ public interface SftpEndpointBuilderFactory {
return this;
}
/**
- * Sets whether to use strict host key checking.
+ * Sets whether to use strict host key checking. Setting this to 'no'
+ * (the default) disables host key verification and makes SFTP
+ * connections vulnerable to man-in-the-middle attacks. Use 'yes' in
+ * production environments.
*
* The option is a: <code>java.lang.String</code> type.
*
