[GitHub] [cxf] AnilKumarHurkadli commented on pull request #869: [CXF-8535] Query missing from signature request-target AND also to add digest only if request has body

Wed, 24 Nov 2021 11:38:50 -0800 


AnilKumarHurkadli commented on pull request #869:
URL: https://github.com/apache/cxf/pull/869#issuecomment-978168200


   > The changes look fine to me, but it is causing a test failure in 
systests/rs-security (JAXRSHTTPSignatureTest) can you take a look?
   @coheigea , For the below particular test case which is failing , if the 
digest is not available in the header then body will be returned as null in 
DigestVerifier as digest header does not exists in the request which is 
stricter check, can this test case be removed ?
   
   @Test
   public void testMissingDigestHeader() throws Exception {
   
   URL busFile = JAXRSHTTPSignatureTest.class.getResource("client.xml");
   
   CreateSignatureInterceptor signatureFilter = new 
CreateSignatureInterceptor();
   signatureFilter.setAddDigest(false);
   KeyStore keyStore = KeyStore.getInstance("JKS");
   keyStore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", 
this.getClass()),
   "password".toCharArray());
   PrivateKey privateKey = (PrivateKey)keyStore.getKey("alice", 
"password".toCharArray());
   assertNotNull(privateKey);
   
   List<String> headerList = Arrays.asList("accept", "(request-target)");
   MessageSigner messageSigner = new MessageSigner(keyId -> privateKey, 
"alice-key-id", headerList);
   signatureFilter.setMessageSigner(messageSigner);
   
   String address = "http://localhost:"; + PORT + 
"/httpsigprops/bookstore/books";
   WebClient client =
   WebClient.create(address, Collections.singletonList(signatureFilter), 
busFile.toString());
   client.type("application/xml").accept("application/xml");
   
   Response response = client.post(new Book("CXF", 126L));
   assertEquals(400, response.getStatus());
   }
   
   OR 
   
   to have additional check to add digest in the required headers for POST or 
PUT method in the below condition in MessageVerifier?
   
   From ,
   if (!signedHeaders.contains("digest") && messageBody != null && 
messageBody.length > 0) {
                   signedHeaders.add("digest");
               }
   To add POST or PUT check as below,
   if (!signedHeaders.contains("digest") && ((messageBody != null && 
messageBody.length > 0)
                       || ("POST".equalsIgnoreCase(method) || 
"PUT".equalsIgnoreCase(method)))) {
                   signedHeaders.add("digest");
               }
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to