feat: strict scheme enforcement — strip Authorization: Basic on auth failure (#4650)#4743
feat: strict scheme enforcement — strip Authorization: Basic on auth failure (#4650)#4743balhar-jakub wants to merge 4 commits into
Conversation
GH#4650 — Step 4a: Core enforcement for strict scheme enforcement. - Add @value injection for apiml.security.strictSchemeEnforcement (default false) - Add overloaded cleanHeadersOnAuthFail(exchange, errorMessage, serviceId) with Basic Authorization stripping when strictSchemeEnforcement is enabled - Store serviceId as exchange attribute in createGatewayFilter for access by callers - Update PassticketFilterFactory, AbstractTokenFilterFactory to pass serviceId - Update RoutingConfigurationErrorFilterFactory to pass null (no serviceId) - Guard against null scheme and BYPASS scheme (never strip for bypass) - Case-insensitive Basic prefix matching using regionMatches Covered schemes: httpBasicPassTicket, zoweJwt, zosmf, safIdt
…auth failure Add @value injection for apiml.security.strictSchemeEnforcement in X509FilterFactory. Modify updateHeadersForError() to strip Authorization: Basic header when strict enforcement is enabled, matching the pattern already established in AbstractAuthSchemeFactory. Part of #4650 - Step 4b: X509 filter factory adaptation.
Architect Review — #4650 Strict Scheme EnforcementBuild verification
Design compliance ✓The implementation follows the PM's acceptance criteria and the architect's design spec. Core logic is in Structural reviewStrengths:
Minor observations (non-blocking):
Verdict: APPROVED with minor notes. The implementation is clean, well-guarded, and correctly scoped. The duplication and logging disparity are minor polish items — no architectural concerns. Post-merge follow-up
|
Architect Review — #4650 Strict Scheme EnforcementBuild verification
Design complianceThe implementation follows the PM's acceptance criteria and the architect's design spec. Core logic is in Structural reviewStrengths:
Minor observations (non-blocking):
Verdict: APPROVED with minor notes. The implementation is clean, well-guarded, and correctly scoped. The duplication and logging disparity are minor polish items — no architectural concerns. Post-merge follow-up
|
- Add apiml.security.strictSchemeEnforcement: false to application.yml - Create AbstractAuthSchemeFactoryTest with 8 test cases covering: strict enforcement, BYPASS scheme, Bearer preservation, case-insensitive Basic matching, null scheme, serviceId overload - Add 2 strict enforcement tests to X509FilterFactoryTest All 16 tests pass (8 AbstractAuthSchemeFactory + 8 X509FilterFactory)
|
QA Review — PR #4743 (Strict Scheme Enforcement #4650)Verdict: PASSED ✅ All 8 acceptance criteria verified. All Pavel's Lens rules checked. Tests pass. No blocking issues found. Test Results
Acceptance Criteria Verification
Pavel's Lens — All 8 Rules
Minor Notes (non-blocking)
Files Reviewed
|
Security Review — PR #4743 (Strict Scheme Enforcement #4650)Verdict: APPROVED ✅ No CRITICAL, HIGH, or MEDIUM findings. The implementation is security-sound and correctly scoped. Pavel's Lens — All 8 Rules
Security Review — 6 Categories
Threat Model AnalysisWhat the feature prevents: A client sends Attack surface reduced: Removes the "shadow authentication" vector where raw mainframe credentials could reach a backend service that should only receive transformed credentials (PassTicket, JWT, etc.). What the feature does NOT do:
CI StatusAll required checks pass:
Minor Notes (non-blocking, already flagged by QA)
Files Reviewed
All gates passed: Architect ✓, QA ✓, Security ✓ |



Closes #4650
Summary
Implements strict scheme enforcement for the API Gateway. When enabled via
apiml.security.strictSchemeEnforcement=true, anyAuthorization: Basicheader is stripped upon authentication failure for non-BYPASS schemes. This prevents credential confusion attacks where a Basic auth header could bypass stricter scheme enforcement.Changes
Authorization: Basicheaders on auth failure for httpBasicPassTicket, zoweJwt, zosmf, safIdt schemesBehavior
apiml.security.strictSchemeEnforcement=false(no change)Authorization: Basic— does NOT affect other Authorization schemes (Bearer, etc.)Architectural review to follow.