I think the signature filter should become a writer interceptor instead: https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.2/html/apache_cxf_development_guide/JAXRS20Filters#JAXRS20Filters-Intro-FigCSFIEP It runs later - so that hooking into that phase - any other headers can be set - including the digest one - and then adjust the @Priority of the two filters so that digest runs 1st, then signing.
fre. 5. apr. 2019 kl. 12:21 skrev Colm O hEigeartaigh <[email protected]>: > Hi David, > > Now that the digest functionality is implemented and tested properly, we > need to think about combining it with the signature functionality. I added > an initial test to systests to use both the HTTPSignature filter + the > digest interceptor. The test passes, but the filter runs before the > interceptor, and so the filter never signs the digest header. > > We need to either make the interceptor run before the filter, or else have > the interceptor as a "standalone" interceptor just supporting digest, and > instead incorporate the digest functionality into the signature filter as > well. > > Colm. > > On Fri, Mar 29, 2019 at 10:55 AM David Karlsen <[email protected]> > wrote: > > > Hi @coheigea - I noticed you are cleaning a bit in the http signature > > stuff lately. > > > > There are a few things I'm wondering about. > > > > > > > https://github.com/apache/cxf/tree/master/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/filters > > There are no ClientRequestInterceptor to do the digest which is crucial > to > > the security protocol: > > https://tools.ietf.org/html/draft-cavage-http-signatures-10 > > > > Maybe that should be added as a WriterInterceptor (e.g. quite late in the > > chain) - as one of the required headers is the Date header? > > > > Also - should digest + sign maybe be in one filter - as they go together > > to implement the spec? > > > > Can the interceptors and filters be made non-final - this allows to > extend > > them and add additional logic - for instance I'm planning on creating a > > custom annotation @IgnoreSignature to place on certain public resources - > > so that this can be introspected in a filter with ResourceInfo in order > to > > determine if signature-checking should be skipped or not - of course this > > can be implemented as a delegate pattern - but if they are non-final it > > would be easier. > > > > Likewise the server-side digest-check and signature check - these happen > > at different phases - could it not be bundled into one filter as the same > > applies here. > > > > WDYT? > > > > -- > > -- > > David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
