[GitHub] [cxf] AnilKumarHurkadli commented on a change in pull request #869: [CXF-8535] Query missing from signature request-target AND also to add digest only if request has body

Wed, 03 Nov 2021 17:15:04 -0700 


AnilKumarHurkadli commented on a change in pull request #869:
URL: https://github.com/apache/cxf/pull/869#discussion_r741761772



##########
File path: 
rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java
##########
@@ -119,11 +118,23 @@ public void verifyMessage(Map<String, List<String>> 
messageHeaders, String metho
 
         // Add the default required headers
         boolean requestor = MessageUtils.isRequestor(m);
+        byte[] payload = null;
         if (addDefaultRequiredHeaders) {
             if (!(requestor || 
signedHeaders.contains(HTTPSignatureConstants.REQUEST_TARGET))) {
                 signedHeaders.add(HTTPSignatureConstants.REQUEST_TARGET);
             }
-            if (!signedHeaders.contains("digest")) {
+
+            InputStream is = m.getContent(InputStream.class);

Review comment:
       @reta Suggested change has been incorporated

##########
File path: 
rt/rs/security/http-signature/src/test/java/org/apache/cxf/rs/security/httpsignature/MessageVerifierTest.java
##########
@@ -51,6 +51,7 @@
     private static final String METHOD = "GET";
     private static final String URI = "/test/signature";
     private static final String KEY_PAIR_GENERATOR_ALGORITHM = "RSA";
+    private static final String MESSAGE_BODY = "Hello";

Review comment:
       @reta Sure will add the test case for which 
InvalidDataToVerifySignatureException will not be thrown if the body is null 
and passes fine. The issue was encountered specifically while testing DELETE 
method which "usually" do not have body and "Digest" header gets added by 
default in the required headers and is NOT removed as it was not satisfying 
below condition
   
   if ((requestor && (status < 200 || status >= 300 || status == 204))
               || (!requestor && ("GET".equalsIgnoreCase(method) || 
"HEAD".equalsIgnoreCase(method)))) {
               signedHeaders.remove("digest");
           }
   
   And was throwing InvalidDataToVerifySignatureException with message "Not all 
of the required headers are signed" 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to