CAMEL-23250: Add Spring Boot auto-configuration for security policy properties

[gnodet]

Summary

• Add CamelSecurityPolicyConfigurationProperties to expose camel.security.* properties via Spring Boot's @ConfigurationProperties
• Add CamelSecurityPolicyAutoConfiguration that scans all camel.* properties from the Spring Environment for security violations (insecure SSL, plain-text secrets, unsafe deserialization, dev features) and enforces the configured policy (allow/warn/fail)
• Stores SecurityPolicyResult as a CamelContext plugin for health check integration

Properties exposed

camel.security.policy=warn                            # global: allow | warn | fail
camel.security.secret-policy=                         # override for plain-text secrets
camel.security.insecure-ssl-policy=                   # override for SSL/TLS
camel.security.insecure-serialization-policy=          # override for deserialization
camel.security.insecure-dev-policy=                   # override for dev features
camel.security.allowed-properties=                    # comma-separated exclusions

Test plan

• noSecurityPropertiesShouldStartNormally — context starts without security config
• policyAllowShouldIgnoreInsecureConfig — allow policy suppresses violations
• policyWarnShouldStartWithViolations — warn policy logs but allows startup
• policyFailShouldPreventStartup — fail policy throws and blocks startup
• categoryOverrideShouldTakePrecedence — per-category override (e.g., SSL=allow) overrides global fail
• categoryOverrideWarnWhileGlobalFail — per-category warn while global is fail
• allowedPropertiesShouldExcludeFromChecks — exclusion list works
• multipleViolationsDetected — multiple violations reported
• insecureDevPolicyOverride — dev category override
• insecureSerializationPolicyOverride — serialization category override
• Full module test suite: 118 tests pass, 0 failures

🤖 Generated with Claude Code

Claude Code on behalf of Guillaume Nodet

[Croway]

@gnodet the camel-core security.adoc (on the CAMEL-23250-security-policy-enforcement branch) mentions that "Spring Boot and Quarkus have their own profile mechanisms and are not affected" by the profile-aware defaults. Would it be possible adding a short note — either in the core docs or as Spring Boot-specific documentation — showing how users achieve the same per-environment behavior using Spring profiles, for example:

  # application-prod.properties
  camel.security.policy=fail

  # application-dev.properties
  camel.security.policy=allow

This would help Spring Boot users who read the camel.main.profile = prod auto-default section and wonder how to do the same thing in their stack.

[gnodet]

Claude Code on behalf of Guillaume Nodet

Added a Security Policy section to spring-boot.adoc covering:

• Available camel.security.* properties and their defaults
• Category-level overrides (insecure-ssl-policy, insecure-serialization-policy, etc.)
• The allowed-properties exclusion mechanism
• Per-environment policies via Spring profiles — shows application-prod.properties with camel.security.policy=fail and application-dev.properties with camel.security.policy=allow

Also applied the project formatter to the new source files.

[davsclaus]

LGTM