[jira] [Commented] (CXF-6572) OAuth2 Hawk Scheme requests

Tue, 01 Sep 2015 09:46:44 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14725663#comment-14725663
 ] 

Sergey Beryozkin commented on CXF-6572:
---------------------------------------

I addressed 1 and 2 with
http://git-wip-us.apache.org/repos/asf/cxf/commit/be8e1c1a

3 is a longer term effort as it needs to work in cases like webClient.post(new 
Book()), etc, where the serialization occurs after OAuthClientUtils helped with 
preparing a Hawk scheme header. The same idea would have to work with OAuth2 
PoP schemes where the client optionally signs the payload. So need to think to 
make sure it works for both situations. 
The patches are always welcome though. Create a JIRA and when you are ready to 
do a patch for a given issue just do the local changes, do 'git diff' and 
attach it to that JIRA (or do a git pull request but I usually do a diff).

Thanks

> OAuth2 Hawk Scheme requests
> ---------------------------
>
>                 Key: CXF-6572
>                 URL: https://issues.apache.org/jira/browse/CXF-6572
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>            Reporter: Berto Murillo
>              Labels: oauth2, security
>
> Hi,
> References: https://github.com/hueniverse/hawk
> Just a few general requests regarding the Hawk scheme.
> 1) It looks like the port being used in the Hawk digest is -1 if the port is 
> unspecified.  Is it possible to default to 80 for http and 443 for https 
> instead of -1? For clients, I don't think -1 is a standard behavior outside 
> of Java if a port isn't specified and it can be confusing.
> 2) It looks like per the Hawk website above, the header's normalization 
> string should begin with "hawk.1.header".
> 3) It would be great if request payload validation could be added.  It looks 
> like that is currently a spot where "" is being added in its place.  I want 
> to ensure that the request itself wasn't modified mid-request if using HTTP 
> and not HTTPS.  https://github.com/hueniverse/hawk#payload-validation
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to