dennis lucero created CAMEL-18962:
-------------------------------------
Summary: AS2Consumer accepts all content-types
Key: CAMEL-18962
URL: https://issues.apache.org/jira/browse/CAMEL-18962
Project: Camel
Issue Type: Bug
Components: camel-as2
Reporter: dennis lucero
When setting up an AS2Cosumer (server) security is important. Thus in mind AS2
should use encryption and signing to verify the incoming data before processing
it (or supplying the message for further processing). That assures that the
originator of the data is a trusted party.
Camel AS2 consumer accepts encrypted and signed data and at least decryption is
working.
*Problem*
The problem is that the consumer also accepts unencrypted data. So even if I
only want to receive encrpyted data from a trusted party, some third party
disguised as the trused party, could send a malicious unencrypted payload and
the server would just accept and process it.
For example sending plain data with the content type "application/edifact" is
always accepted.
*Possible solution*
The consumer should be configurable what content type is allowed. Also the
already existing producer-parameter "as2MessageStructure" may be used for that
purpose.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
