Minor Description
When setting up an AS2Cosumer (server) security is important. Thus in mind AS2 should use encryption and signing to verify the incoming data before processing it (or supplying the message for further processing). That assures that the originator of the data is a trusted party.
Camel AS2 consumer accepts encrypted and signed data and at least decryption is working.
Problem
The problem is that the consumer also accepts unencrypted data. So even if I only want to receive encrpyted data from a trusted party, some third party disguised as the trused party, could send a malicious unencrypted payload and the server would just accept and process it.
For example sending plain data with the content type "application/edifact" is always accepted.
Possible solution
The consumer should be configurable what content type is allowed. Also the already existing producer-parameter "as2MessageStructure" may be used for that purpose.
Attachments
Issue Links
- links to