Versions Compared

Old Version 13

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 14

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CXF supports HTTP Signature creation and verification on both the client and service side. Payload integrity is supported by digesting the payload and inserting the result into a "Digest" header, which is also signed by HTTP Signature.

Providers

To enable HTTP Signature in CXF, it is necessary to add one of the following providers to the client or endpoint:

  • Client / Service Outbound Signature Creation: org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureClientFilterCreateSignatureInterceptor
  • Client Inbound Signature Verification: org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureClientFilterService Outbound Signature Creation: org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureFilter
  • Service Inbound Signature Verification: org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter

...

Code Block
languagejava
titleWebClient Config
CreateSignatureClientFilterCreateSignatureInterceptor signatureFilter = new CreateSignatureClientFilterCreateSignatureInterceptor();

String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
WebClient client =
    WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());

...

For outbound signature we need to configure the CreateSignatureClientFilter + CreateSignatureFilter providers CreateSignatureInterceptor provider with a MessageSigner instance. The MessageSigner contains a number of different constructors that can be used depending on the desired functionality. At a minimum, we need to supply the PrivateKey instance to sign the message, as well as the "Key Id" as defined in the spec. We can also supply the signature algorithm name - if not specified this defaults to "rsa-sha256". Similarly we can supply the security provider name, which defaults to "SunRsaSign".

...

Here is an example from the tests:

Code Block
languagejava
CreateSignatureClientFilterCreateSignatureInterceptor signatureFilter = new CreateSignatureClientFilterCreateSignatureInterceptor();
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()),
    "password".toCharArray());
PrivateKey privateKey = (PrivateKey)keyStore.getKey("alice", "password".toCharArray());
assertNotNull(privateKey);

MessageSigner messageSigner = new MessageSigner(keyId -> privateKey, "alice-key-id");
signatureFilter.setMessageSigner(messageSigner);

String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
WebClient client =
    WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());
client.type("application/xml").accept("application/xml");

...

Code Block
languagejava
List<Object> providers = new ArrayList<>();
providers.add(new CreateSignatureClientFilterCreateSignatureInterceptor());
providers.add(new VerifySignatureClientFilter());
String address = "http://localhost:" + PORT + "/httpsigresponse/bookstore/books";
WebClient client = WebClient.create(address, providers, busFile.toString());
client.type("application/xml").accept("application/xml");

Map<String, Object> properties = new HashMap<>();
properties.put("rs.security.signature.out.properties",
            "org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties");
properties.put("rs.security.signature.in.properties",
            "org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties");
WebClient.getConfig(client).getRequestContext().putAll(properties);

...

Code Block
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsigresponseprops">
    <jaxrs:serviceBeans>
        <ref bean="serviceBean"/>
    </jaxrs:serviceBeans>
    <jaxrs:providers>
        <bean class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter" />
        <bean class="org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureFilterCreateSignatureInterceptor" />
    </jaxrs:providers>
    <jaxrs:properties>
        <entry key="rs.security.signature.in.properties" 
               value="org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties" />
        <entry key="rs.security.signature.out.properties" 
               value="org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties" />
    </jaxrs:properties>
</jaxrs:server>

...