On 2019-02-08 15:27, David Karlsen wrote:
Cxf 3.3 included support for
https://tools.ietf.org/html/draft-cavage-http-signatures-09
Thanx! I got that from Colm's answer as well.
Personally I find HTTP Signatures as a rather strange mix between
signed messaging and authentication.
Amazon use a similar scheme but without authentication requests:
https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
In a REST context I do not really see the need for signing header
data with the exception of HTTP Method and URI. If you need (signed)
x-headers you might as well declare such data at the JSON level.
Anyway, none of the Cxf methods support "Signed JSON", only JSON
embedded in packages of varying obscurity. But that is not due
to any shortcomings in Cxf, but to a lack of standards.
That's at least what I'm claiming and trying to fix :-)
The core signature scheme (without specific REST bindings) can be
tried out online if you want: https://mobilepki.org/jws-jcs/home
Cheers,
Anders
Den fre. 8. feb. 2019, 08:27 skrev Anders Rundgren <
[email protected]>:
Since there is no IETF standard for signing REST requests and no
such activity in progress either, I took the liberty outlining
a minimalist proposal:
https://github.com/cyberphone/json-canonicalization/blob/master/REST.signatures.md
Comments are as always welcome!
Anders
