CAMEL-23592: camel-itest - update ShiroOverJmsTest for renamed Shiro security headers

[oscerd]

Motivation

CAMEL-23592 (#23506) renamed three ShiroSecurityConstants header values from
non-Camel-prefixed (SHIRO_SECURITY_TOKEN, SHIRO_SECURITY_USERNAME,
SHIRO_SECURITY_PASSWORD) into the canonical Camel prefix
(CamelShiroSecurityToken etc.). The intent — quoting the upgrade-guide entry — is
that "these headers carry credentials and a serialized authentication token, so
filtering them at transport boundaries by default is particularly important."

The default JmsHeaderFilterStrategy (and similarly for CXF/HTTP) filters every
Camel* header (case-insensitive) on both inbound and outbound. So with the rename,
a trusted Shiro-over-JMS route that was passing the serialized token through JMS
suddenly loses that token at the JMS producer, the consumer-side ShiroSecurityPolicy
sees no token, throws an authentication failure exception, and the message lands on
the dead-letter mock.

ShiroOverJmsTest in camel-itest is exactly this pattern and started failing on
the 4.18.x backport PR (#23552):

mock://ShiroOverJmsTestError Received message count. Expected: <0> but was: <1>

The same regression is latent on main: CAMEL-23592 merged earlier today
(commit aeb5fd9d) and the post-merge
main CI run reported
success, but its incremental-build only ran tests for camel-shiro itself — camel-itest
was built but its tests were not executed. Anyone running
mvn -pl tests/camel-itest test -Dtest=ShiroOverJmsTest on main will reproduce
the same failure.

What this changes

This PR keeps the rename (the underlying security improvement) but updates the
integration test, and documents the new opt-in pattern users need to apply.

ShiroOverJmsTest

Adds a small subclass of JmsHeaderFilterStrategy (private to the test) that opts
the three Shiro security headers back through the transport boundary while leaving
every other Camel*-prefixed filter rule untouched:

private static final class ShiroFriendlyJmsHeaderFilterStrategy extends JmsHeaderFilterStrategy {
    @Override
    public boolean applyFilterToCamelHeaders(String headerName, Object headerValue, Exchange exchange) {
        if (isShiroSecurityHeader(headerName)) {
            return false; // allow through
        }
        return super.applyFilterToCamelHeaders(headerName, headerValue, exchange);
    }
    // applyFilterToExternalHeaders mirrors the same logic
    // isShiroSecurityHeader does a case-insensitive equals against the three constants
}
amq.setHeaderFilterStrategy(new ShiroFriendlyJmsHeaderFilterStrategy());

This demonstrates the exact configuration end-users need to keep Shiro-over-JMS
routes working post-CAMEL-23592.

4.21 upgrade guide

Extends the existing === camel-shiro - potential breaking change entry with the
new HeaderFilterStrategy opt-in pattern and a worked code example. Points to
ShiroOverJmsTest as a worked example.

Compatibility

• Test only: no production code change.
• Doc only: extends an existing upgrade-guide section, no schema/catalog
  regen needed.
• No security regression: the new pattern is opt-in and scoped to three
  specific named headers — the default filter still blocks every other Camel*
  header at the JMS boundary.

Test plan

• mvn -pl tests/camel-itest test -Dtest=ShiroOverJmsTest passes locally
  (was failing on the 4.18.x backport without this change).
• Full reactor build from root succeeds: mvn clean install -DskipTests.
• No regen artifacts touched (verified via git status post-build).

Follow-on

Once merged on main, the same fix needs to be cherry-picked into the
in-flight backport PRs:

• #23552 — backport of CAMEL-23592
  to camel-4.18.x (currently red on this exact test).
• A future backport to camel-4.14.x (when CAMEL-23592 is backported there).

Related

• JIRA: https://issues.apache.org/jira/browse/CAMEL-23592
• Underlying rename PR (already merged): CAMEL-23592: camel-shiro - align Exchange header constant names with Camel naming convention #23506
• 4.18.x backport (red on this test): [backport camel-4.18.x] CAMEL-23592: camel-shiro - align Exchange header constant names with Camel naming convention #23552

---

Claude Code on behalf of Andrea Cosentino

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

[github-actions]

🧪 CI tested the following changed modules:

• docs
• tests/camel-itest

---

⚙️ View full build and test results

[apupier]

merging as it is fixing main branch