Hi @coheigea - I noticed you are cleaning a bit in the http signature stuff lately.
There are a few things I'm wondering about. https://github.com/apache/cxf/tree/master/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/filters There are no ClientRequestInterceptor to do the digest which is crucial to the security protocol: https://tools.ietf.org/html/draft-cavage-http-signatures-10 Maybe that should be added as a WriterInterceptor (e.g. quite late in the chain) - as one of the required headers is the Date header? Also - should digest + sign maybe be in one filter - as they go together to implement the spec? Can the interceptors and filters be made non-final - this allows to extend them and add additional logic - for instance I'm planning on creating a custom annotation @IgnoreSignature to place on certain public resources - so that this can be introspected in a filter with ResourceInfo in order to determine if signature-checking should be skipped or not - of course this can be implemented as a delegate pattern - but if they are non-final it would be easier. Likewise the server-side digest-check and signature check - these happen at different phases - could it not be bundled into one filter as the same applies here. WDYT? -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
