[jira] [Updated] (CAMEL-23812) camel-milo - Add support for explicit username and password parameters in Milo client to safely handle credentials with special characters

Mon, 22 Jun 2026 10:50:18 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Claus Ibsen updated CAMEL-23812:
--------------------------------
    Fix Version/s: 4.21.0

> camel-milo - Add support for explicit username and password parameters in 
> Milo client to safely handle credentials with special characters
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23812
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23812
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-milo
>            Reporter: Robin Mattes
>            Priority: Major
>             Fix For: 4.21.0
>
>
> {*}Problem{*}:
> The Camel Milo client component previously embedded authentication 
> credentials directly in the endpoint URI using the format user:password@host. 
> To prevent Milo from receiving credentials (which it doesn't handle), the 
> component used string manipulation with `discoveryUri.replaceFirst(user + 
> "@", "")` to strip credentials from the URL before connection. This caused 
> issues because the `replaceFirst()` function uses regex patterns that fail 
> with regex special characters like "$.*", and passwords containing characters 
> like "%" cause issues with `java.net.URLDecoder.decode()` due to 
> percent-encoding in URLs.
> This approach has limitations: it fails when credentials contain special 
> characters commonly found in auto-generated passwords, such as:
> @ (breaks URI parsing)
> ?, & (URI query parameter delimiters)
> /, # (URI structure delimiters)
> $, % (encoding/variable expansion) 
> For example, a password like pass@$?&/#% would cause the discovery URI 
> reconstruction to fail or produce incorrect results.
> {*}Solution{*}:
> Introduce explicit endpoint parameters for username and password that bypass 
> URI embedding entirely, eliminating the string manipulation and supporting 
> almost any character in credentials. (% is still invalid, except if you use 
> the URL-encoding %25 )
> The old way of embedding credentials in the URI still works, but using the 
> explicit username and password parameters is preferred as it will checked 
> first in the code.
> Example: 
> [https://...&username=RAW(my?user@name)&password=RAW(p@ss/w&rd|https://...&username=raw(my/?user@name)&password=RAW(p@ss/w&rd])
> This is my first contribution so i'm more than happy to make required changes 
> to my code if needed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to