Colm O hEigeartaigh created CXF-8007:
----------------------------------------
Summary: HTTP Signature adds an extra "Signature" component to the
Signature header
Key: CXF-8007
URL: https://issues.apache.org/jira/browse/CXF-8007
Project: CXF
Issue Type: Bug
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 3.3.2
HTTP Signature adds an extra "Signature" component to the Signature header:
e.g.:
{code:java}
Headers: {Content-Type=[application/xml], Accept=[application/xml],
Signature=[Signature
keyId="alice-key-id",algorithm="rsa-sha512",headers="accept",signature="Ub/VdsxZrdsIuIW0Mx189FzuEZB37cvfVaVK3i6ZGeQzKSDeFiMyOz2N0pkQIlLyrhXApDuE2n9xyTDoJGvZLvIklYKYeijvsUy4CP7hkfv+82emLod66vZD5rlU6xLac4gsaiCLLiG9NcavUjwGSiTFVGaFwCxPf20p1QwTgvY6KE7dBqk2/m6d+FACxWNcyxSHcR8kLsCxy6tweU4HioXBdETo8xMu31jiQ7W9W4gTqNwIrO4O3ZSQGLzBRQ9QxxZBqmQCwP/NEhPFO10khPcXjO1FL107FWy2fwYRInQQtgMPi4liEj1HYt+o2DHLvk43lPVhTf9t1+56dXTsPQ=="]}
{code}
This is because the Tomitribe Signatures class has a toString() method which
assumes that the output is to be used in an Authorization header. However in
CXF our code instead uses the Signature HTTP header (section 4 of the spec).
Instead it should look like:
{code:java}
Headers: {Content-Type=[application/xml], Accept=[application/xml],
Signature=[keyId="alice-key-id",algorithm="rsa-sha512",headers="accept",signature="Ub/VdsxZrdsIuIW0Mx189FzuEZB37cvfVaVK3i6ZGeQzKSDeFiMyOz2N0pkQIlLyrhXApDuE2n9xyTDoJGvZLvIklYKYeijvsUy4CP7hkfv+82emLod66vZD5rlU6xLac4gsaiCLLiG9NcavUjwGSiTFVGaFwCxPf20p1QwTgvY6KE7dBqk2/m6d+FACxWNcyxSHcR8kLsCxy6tweU4HioXBdETo8xMu31jiQ7W9W4gTqNwIrO4O3ZSQGLzBRQ9QxxZBqmQCwP/NEhPFO10khPcXjO1FL107FWy2fwYRInQQtgMPi4liEj1HYt+o2DHLvk43lPVhTf9t1+56dXTsPQ=="]}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
