Hi David, Now that the digest functionality is implemented and tested properly, we need to think about combining it with the signature functionality. I added an initial test to systests to use both the HTTPSignature filter + the digest interceptor. The test passes, but the filter runs before the interceptor, and so the filter never signs the digest header.
We need to either make the interceptor run before the filter, or else have the interceptor as a "standalone" interceptor just supporting digest, and instead incorporate the digest functionality into the signature filter as well. Colm. On Fri, Mar 29, 2019 at 10:55 AM David Karlsen <[email protected]> wrote: > Hi @coheigea - I noticed you are cleaning a bit in the http signature > stuff lately. > > There are a few things I'm wondering about. > > > https://github.com/apache/cxf/tree/master/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/filters > There are no ClientRequestInterceptor to do the digest which is crucial to > the security protocol: > https://tools.ietf.org/html/draft-cavage-http-signatures-10 > > Maybe that should be added as a WriterInterceptor (e.g. quite late in the > chain) - as one of the required headers is the Date header? > > Also - should digest + sign maybe be in one filter - as they go together > to implement the spec? > > Can the interceptors and filters be made non-final - this allows to extend > them and add additional logic - for instance I'm planning on creating a > custom annotation @IgnoreSignature to place on certain public resources - > so that this can be introspected in a filter with ResourceInfo in order to > determine if signature-checking should be skipped or not - of course this > can be implemented as a delegate pattern - but if they are non-final it > would be easier. > > Likewise the server-side digest-check and signature check - these happen > at different phases - could it not be bundled into one filter as the same > applies here. > > WDYT? > > -- > -- > David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
