...
For signature verification, we need to supply the VerifySignatureClientFilter and VerifySignatureFilter instances with a MessageVerifier instance. At a minimum, we need to configure the MessageVerifier with a KeyProvider instance, which is an interface which supplies the key required to verify the signature given the "Key Id" present in the message. As per MessageSigner, we can also specify the signature algorithm that is required, as well as the Security Provider. It defaults to the same values as documented for MessageSigner above. We can also specify a list of HTTP headers which must be signed. If no such list is specified, the default behavior is to require that the "digest" header is signed (unless a service request and that method is GET or HEAD, and also unless a service response and the status is 204 or not "OK"), as well as the "(request-target)" header for a client request.
Here is an example from the tests:
...
Configuration Tag | Default | Description |
---|---|---|
rs.security.keystore | The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically. | |
rs.security.keystore.type | JKS | The keystore type. |
rs.security.keystore.password | The password required to access the keystore. | |
rs.security.keystore.alias | The keystore alias corresponding to the key to use. | |
rs.security.keystore.file | The path to the keystore file. | |
rs.security.key.password | The password required to access the private key (in the keystore). | |
rs.security.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. | |
rs.security.signature.out.properties | The signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties". | |
rs.security.signature.in.properties | The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties". | |
rs.security.signature.properties | The signature properties file for Compact or JSON signature creation/verification. | |
rs.security.signature.algorithm | rsa-sha256 | The signature algorithm to use. |
rs.security.http.signature.key.id | The signature key id. This is a required configuration option on the outbound side. | |
rs.security.http.signature.out.headers | all headers incl "(request-target)" | A list of String values which correspond to the list of HTTP headers that will be signed in the outbound request. |
rs.security.http.signature.in.headers | "digest", and "(request-target)" for a client request. | A list of String values which correspond to the list of HTTP headers that must be signed in the inbound request. By default, a client request must sign "(request-target)". In addition, both a client request and service response must sign "digest", unless it is a GET/HEAD request. A service response must sign "digest" for all "OK" status codes, apart from 204. |
rs.security.http.signature.digest.algorithm | SHA-256 | The digest algorithm to use when digesting the payload. |
...