Blagoi Anastasov created JCLOUDS-1476:
-----------------------------------------
Summary: AWS4 double authentication: query string and headers
Key: JCLOUDS-1476
URL: https://issues.apache.org/jira/browse/JCLOUDS-1476
Project: jclouds
Issue Type: Bug
Components: jclouds-blobstore
Affects Versions: 2.1.1
Reporter: Blagoi Anastasov
Hi,
There is a problem when using AWSS3BlobRequestSignerV4.java signPutBLob(...)
method as it turns out that the request which is returned is double signed(with
query string, concatenated to the endpoint and also with headers). This happens
when the blob object is created with payload(InputStream). It does not happen
when the blob is with payload(File). I have examined it and it looks like when
filtering the request in filter(HttpRequest request) method in
RequestAuthorizeSignatureV4.java, as the payload is InputStream it is not
repeatable by default so the filter(HttpRequest request) method goes for
signForChunkedUpload(request) instead of signForAuthorizationHeader(request).
And in this case the request returned is double signed. It has authorization
headers and also authorization query string. It fails with:
Caused by: org.jclouds.aws.AWSResponseException: request PUT
https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx
HTTP/1.1 failed with code 400, error: AWSError\{requestId='xxx',
requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism
allowed; only the X-Amz-Algorithm query parameter, Signature query string
parameter or the Authorization header should be specified',
context='{ArgumentValue=AWS4-HMAC-SHA256
Credential=xxx/20181218/eu-central-1/s3/aws4_request,
SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length,
Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
Here is also stack trace:
Caused by: org.jclouds.aws.AWSResponseException: request PUT
https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx
HTTP/1.1 failed with code 400, error: AWSError\{requestId='6D61670538525FB9',
requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism
allowed; only the X-Amz-Algorithm query parameter, Signature query string
parameter or the Authorization header should be specified',
context='{ArgumentValue=AWS4-HMAC-SHA256
Credential=xxx/20181218/eu-central-1/s3/aws4_request,
SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length,
Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
at
org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:75)
at
org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
at
com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.shouldContinue(CustomJavaUrlHttpCommandExecutorService.java:125)
at
com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.invoke(CustomJavaUrlHttpCommandExecutorService.java:94)
at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:91)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:74)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:45)
at
org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
at
org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
at com.sun.proxy.$Proxy174.invoke(Unknown Source)
It fails on invoke when trying to get a response from this request. But the
problem is why the request is left to be double signed?
Best Regards,
Blago
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
