Also - should there be a PrivateKeyProvider:
PrivateKey getKey(String keyId);
similar to the public key provider? So that any signing mechanisms use this
interface to resolve the key to use for signing?
fre. 29. mar. 2019 kl. 11:55 skrev David Karlsen <[email protected]>:
> Hi @coheigea - I noticed you are cleaning a bit in the http signature
> stuff lately.
>
> There are a few things I'm wondering about.
>
>
> https://github.com/apache/cxf/tree/master/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/filters
> There are no ClientRequestInterceptor to do the digest which is crucial to
> the security protocol:
> https://tools.ietf.org/html/draft-cavage-http-signatures-10
>
> Maybe that should be added as a WriterInterceptor (e.g. quite late in the
> chain) - as one of the required headers is the Date header?
>
> Also - should digest + sign maybe be in one filter - as they go together
> to implement the spec?
>
> Can the interceptors and filters be made non-final - this allows to extend
> them and add additional logic - for instance I'm planning on creating a
> custom annotation @IgnoreSignature to place on certain public resources -
> so that this can be introspected in a filter with ResourceInfo in order to
> determine if signature-checking should be skipped or not - of course this
> can be implemented as a delegate pattern - but if they are non-final it
> would be easier.
>
> Likewise the server-side digest-check and signature check - these happen
> at different phases - could it not be bundled into one filter as the same
> applies here.
>
> WDYT?
>
> --
> --
> David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
>
--
--
David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
