[
https://issues.apache.org/jira/browse/CXF-8535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342407#comment-17342407
]
Eirik Berntsen edited comment on CXF-8535 at 5/11/21, 8:24 AM:
---------------------------------------------------------------
Please see [https://github.com/apache/cxf/pull/795]
was (Author: eirik.berntsen):
Please see [https://github.com/apache/cxf/pull/795]
> Query missing from signature request-target
> -------------------------------------------
>
> Key: CXF-8535
> URL: https://issues.apache.org/jira/browse/CXF-8535
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.3
> Reporter: Eirik Berntsen
> Priority: Major
> Labels: security
>
> cxf-rt-rs-security-http-signature does not include the query while building
> the "request-target" component of the HTTP signatures, neither when
> generating signatures nor when validating them. It only includes the path.
> This is not in line with the spec that CXF claims support for:
> [https://tools.ietf.org/id/draft-cavage-http-signatures-10.html#rfc.section.2.3].
> It links to [https://tools.ietf.org/html/rfc7540#section-8.1.2.3] which
> states:
> _"The ":path" pseudo-header field includes the path and query parts_
> _of the target URI"_
> Later versions of this spec makes this more clear and even has some examples
> showing the correct request-target for different URIs:
> [https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#name-request-target]
> This is currently breaking integration with other systems that include the
> query in the request-target.
> The fault seems to lie in
> org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
