THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
For signature verification, we need to supply the VerifySignatureClientFilter and VerifySignatureFilter instances with a MessageVerifier instance. At a minimum, we need to configure the MessageVerifier with a PublicKeyProvider instance, which is an interface which supplies the public key required to verify the signature given the "Key Id" present in the message. As per MessageSigner, we can also specify the signature algorithm that is required, as well as the Security Provider. It defaults to the same values as documented for MessageSigner above. We can also specify a list of HTTP headers which must be signed.
...
| Code Block |
|---|
<bean id="publicKeyProvider" class="org.apache.cxf.systest.jaxrs.security.httpsignature.CustomPublicKeyProvider"/>
<bean id="messageVerifier" class="org.apache.cxf.rs.security.httpsignature.MessageVerifier">
<constructor-arg>
<ref bean="publicKeyProvider"/>
</constructor-arg>
<constructor-arg>
<util:list>
<value>(request-target)</value>
</util:list>
</constructor-arg>
</bean>
<bean id="httpSignatureVerifier" class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter">
<property name="messageVerifier" ref="messageVerifier"/>
</bean>
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsig">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="httpSignatureVerifier"/>
</jaxrs:providers>
</jaxrs:server> |
Configuration Properties
An alternative to configure the MessageSigner, MessageVerifier instances as documented in the previous section is to use the following security configuration properties instead. These properties rely on obtaining the private keys to sign the messages, as well as the public keys used to verify the messages, from a keystore stored in the local filesystem. Note that the "Key Id" is ignored, we verify the message using the public key defined in the configuration properties.
The following configuration properties can be used to configure HTTP Signature with the various filters. Note that they are shared for the most part with JAX-RS JOSE.
...
| Configuration Tag | Default | Description |
|---|---|---|
| rs.security.keystore | The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically. | |
rs.security.keystore.type | JKS | The keystore type. |
| rs.security.keystore.password | The password required to access the keystore. | |
| rs.security.keystore.alias | The keystore alias corresponding to the key to use. | |
| rs.security.keystore.file | The path to the keystore file. | |
| rs.security.key.password | The password required to access the private key (in the keystore). | |
| rs.security.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. | |
| rs.security.signature.out.properties | The signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties". | |
| rs.security.signature.in.properties | The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties". | |
| rs.security.signature.properties | The signature properties file for Compact or JSON signature creation/verification. | |
| rs.security.signature.algorithm | rsa-sha256 | The signature algorithm to use. |
| rs.security.http.signature.key.id | The signature key id. This is a required configuration option on the outbound side. | |
| rs.security.http.signature.out.headers | all headers incl "(request-target)" | A list of String values which correspond to the list of HTTP headers that will be signed in the outbound request. |
| rs.security.http.signature.in.headers | "(request-target)" for a client request | A list of String values which correspond to the list of HTTP headers that must be signed in the inbound request. |
Here is a Java example:
| Code Block | ||
|---|---|---|
| ||
List<Object> providers = new ArrayList<>();
providers.add(new CreateSignatureClientFilter());
providers.add(new VerifySignatureClientFilter());
String address = "http://localhost:" + PORT + "/httpsigresponse/bookstore/books";
WebClient client = WebClient.create(address, providers, busFile.toString());
client.type("application/xml").accept("application/xml");
Map<String, Object> properties = new HashMap<>();
properties.put("rs.security.signature.out.properties",
"org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties");
properties.put("rs.security.signature.in.properties",
"org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties");
WebClient.getConfig(client).getRequestContext().putAll(properties); |
where "alice.httpsig.properties" looks like:
| Code Block |
|---|
rs.security.keystore.type=jks
rs.security.keystore.password=password
rs.security.keystore.alias=alice
rs.security.keystore.file=keys/alice.jks
rs.security.key.password=password
rs.security.http.signature.key.id=alice-key-id |
Here is a spring example:
| Code Block |
|---|
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsigresponseprops">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<bean class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter" />
<bean class="org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureFilter" />
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.signature.in.properties"
value="org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties" />
<entry key="rs.security.signature.out.properties"
value="org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties" />
</jaxrs:properties>
</jaxrs:server> |