[
https://issues.apache.org/jira/browse/CXF-6572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Berto Murillo updated CXF-6572:
-------------------------------
Description:
Hi,
References: https://github.com/hueniverse/hawk
Just a few general requests regarding the Hawk scheme.
1) It looks like the port being used in the Hawk digest is -1 if the port is
unspecified. Is it possible to default to 80 for http and 443 for https
instead of -1? For clients, I don't think -1 is a standard behavior outside of
Java if a port isn't specified and it can be confusing.
2) It looks like per the Hawk website above, the header's normalization string
should begin with "hawk.1.header".
3) It would be great if request payload validation could be added. It looks
like that is currently a spot where "" is being added in its place. I want to
ensure that the request itself wasn't modified mid-request if using HTTP and
not HTTPS. https://github.com/hueniverse/hawk#payload-validation
Thanks!
was:
Hi,
References: https://github.com/hueniverse/hawk
Just a few general requests regarding the Hawk scheme.
1) It looks like the port being used in the Hawk digest is -1 if the port is
unspecified. Is it possible to default to 80 for http and 443 for https
instead of -1? For clients, I don't think -1 is a standard behavior outside of
Java if a port isn't specified and it can be confusing.
2) It looks like per the Hawk website above, the header's normalization string
should begin with "hawk.1.header".
3) It would be great if request payload validation could be added. It looks
like that is currently a spot where "" is being added in its place. I want to
ensure that the request itself wasn't changed outside of having to use HTTP.
https://github.com/hueniverse/hawk#payload-validation
Thanks!
> OAuth2 Hawk Scheme requests
> ---------------------------
>
> Key: CXF-6572
> URL: https://issues.apache.org/jira/browse/CXF-6572
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Reporter: Berto Murillo
> Labels: oauth2, security
>
> Hi,
> References: https://github.com/hueniverse/hawk
> Just a few general requests regarding the Hawk scheme.
> 1) It looks like the port being used in the Hawk digest is -1 if the port is
> unspecified. Is it possible to default to 80 for http and 443 for https
> instead of -1? For clients, I don't think -1 is a standard behavior outside
> of Java if a port isn't specified and it can be confusing.
> 2) It looks like per the Hawk website above, the header's normalization
> string should begin with "hawk.1.header".
> 3) It would be great if request payload validation could be added. It looks
> like that is currently a spot where "" is being added in its place. I want
> to ensure that the request itself wasn't modified mid-request if using HTTP
> and not HTTPS. https://github.com/hueniverse/hawk#payload-validation
> Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
