ammachado opened a new pull request, #23652: URL: https://github.com/apache/camel/pull/23652
# Description Centralises Camel-internal header filtering in `DefaultHeaderFilterStrategy` so every component gets secure defaults without having to call `setInFilterStartsWith`/`setOutFilterStartsWith` explicitly. **Commit 1 — core change** - `DefaultHeaderFilterStrategy` now initialises `inFilterStartsWith` and `outFilterStartsWith` to `CAMEL_FILTER_STARTS_WITH` by default (previously `null`). - `CAMEL_FILTER_STARTS_WITH` extended to `["Camel", "camel", "org.apache.camel"]` (was `["Camel", "camel"]`). - All component-specific strategies that duplicated this setup have had the now-redundant calls removed. - `ClassicJmsHeaderFilterStrategy` explicitly opts out via `setInFilterStartsWith((String[]) null)` to preserve legacy Camel-header-passthrough behaviour. - Upgrade guide updated (`camel-4x-upgrade-guide-4_21.adoc`). **Commit 2 — review findings and cleanup** Fixes eight issues identified in code review: - **Mutable shared array**: field initialisers now use `.clone()` so each instance owns its array; mutating the public `CAMEL_FILTER_STARTS_WITH` constant no longer corrupts all instances. - **`org.apache.camel` prefix without trailing dot was not blocked**: changed the constant from `"org.apache.camel."` to `"org.apache.camel"` so the bare prefix and all sub-keys are caught. - **Deprecated `CAMEL_FILTER_PATTERN` fast-path was stale**: updated the regex and the `tryPattern` optimisation to cover the `org.apache.camel` namespace consistently. - **Redundant `setLowerCase(true)` calls**: removed from `camel-http-base` and `camel-http-common` HTTP strategies; `lowerCase=true` is already the field-initialiser default. - **`HttpBridgeMultipartRouteTest` inner strategy**: removed the now-redundant `setLowerCase(true)` and `setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH)` calls. - **`ClassicJmsHeaderFilterStrategy` null opt-out untested**: added `ClassicJmsHeaderFilterStrategyTest` directly asserting that Camel headers pass through in both directions. - **Upgrade guide scope too narrow**: updated to cover subclass authors (not just direct instantiators); added pointer to `ClassicJmsHeaderFilterStrategy` as a worked opt-out example. - **Six no-op subclasses removed**: `CoAPHeaderFilterStrategy`, `CometdHeaderFilterStrategy`, `IggyHeaderFilterStrategy`, `NatsHeaderFilterStrategy`, `VertxWebsocketHeaderFilterStrategy`, and `XmppHeaderFilterStrategy` each contained only `setLowerCase(true)`, which is now the default. All six classes and their test files have been deleted; callers instantiate `DefaultHeaderFilterStrategy` directly. # Target - [x] I checked that the commit is targeting the correct branch (Camel 4 uses the `main` branch) # Tracking - [x] If this is a large change, bug fix, or code improvement, I checked there is a [JIRA issue](https://issues.apache.org/jira/browse/CAMEL-23543) filed for the change (usually before you start working on it). # Apache Camel coding standards and style - [x] I checked that each commit in the pull request has a meaningful subject line and body. - [ ] I have run `mvn clean install -DskipTests` locally from root folder and I have committed all auto-generated changes. _Claude Code on behalf of Adriano Machado_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
