...
CXF supports HTTP Signature creation and verification on both the client and service side. Payload integrity is supported by digesting the payload and inserting the result into a "Digest" header, which is also signed by HTTP Signature.
Providers
To enable HTTP Signature in CXF, it is necessary to add one of the following providers to the client or endpoint:
- Client / Service Outbound Signature Creation: org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureClientFilterCreateSignatureInterceptor
- Client Inbound Signature Verification: org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureClientFilterService Outbound Signature Creation: org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureFilter
- Service Inbound Signature Verification: org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter
...
Code Block | ||||
---|---|---|---|---|
| ||||
CreateSignatureClientFilterCreateSignatureInterceptor signatureFilter = new CreateSignatureClientFilterCreateSignatureInterceptor(); String address = "http://localhost:" + PORT + "/httpsig/bookstore/books"; WebClient client = WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString()); |
...
For outbound signature we need to configure the CreateSignatureClientFilter + CreateSignatureFilter providers CreateSignatureInterceptor provider with a MessageSigner instance. The MessageSigner contains a number of different constructors that can be used depending on the desired functionality. At a minimum, we need to supply the PrivateKey instance to sign the message, as well as the "Key Id" as defined in the spec. We can also supply the signature algorithm name - if not specified this defaults to "rsa-sha256". Similarly we can supply the security provider name, which defaults to "SunRsaSign".
...
Here is an example from the tests:
Code Block | ||
---|---|---|
| ||
CreateSignatureClientFilterCreateSignatureInterceptor signatureFilter = new CreateSignatureClientFilterCreateSignatureInterceptor(); KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); PrivateKey privateKey = (PrivateKey)keyStore.getKey("alice", "password".toCharArray()); assertNotNull(privateKey); MessageSigner messageSigner = new MessageSigner(keyId -> privateKey, "alice-key-id"); signatureFilter.setMessageSigner(messageSigner); String address = "http://localhost:" + PORT + "/httpsig/bookstore/books"; WebClient client = WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString()); client.type("application/xml").accept("application/xml"); |
...
Code Block | ||
---|---|---|
| ||
List<Object> providers = new ArrayList<>(); providers.add(new CreateSignatureClientFilterCreateSignatureInterceptor()); providers.add(new VerifySignatureClientFilter()); String address = "http://localhost:" + PORT + "/httpsigresponse/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/xml").accept("application/xml"); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.out.properties", "org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties"); properties.put("rs.security.signature.in.properties", "org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties"); WebClient.getConfig(client).getRequestContext().putAll(properties); |
...
Code Block |
---|
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsigresponseprops"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans> <jaxrs:providers> <bean class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter" /> <bean class="org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureFilterCreateSignatureInterceptor" /> </jaxrs:providers> <jaxrs:properties> <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties" /> <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties" /> </jaxrs:properties> </jaxrs:server> |
...