Signing headers is optional and . you can select which ones, see: https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.1.3 See section 3.1 where a digest is created from the body, to essentially form a signature of the body and any other headers - this allows to sign json - or any other mediatype.
Den fre. 8. feb. 2019 kl. 15:59 skrev Anders Rundgren < [email protected]>: > On 2019-02-08 15:27, David Karlsen wrote: > > Cxf 3.3 included support for > > https://tools.ietf.org/html/draft-cavage-http-signatures-09 > > Thanx! I got that from Colm's answer as well. > > Personally I find HTTP Signatures as a rather strange mix between > signed messaging and authentication. > > Amazon use a similar scheme but without authentication requests: > https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html > > In a REST context I do not really see the need for signing header > data with the exception of HTTP Method and URI. If you need (signed) > x-headers you might as well declare such data at the JSON level. > > Anyway, none of the Cxf methods support "Signed JSON", only JSON > embedded in packages of varying obscurity. But that is not due > to any shortcomings in Cxf, but to a lack of standards. > > That's at least what I'm claiming and trying to fix :-) > > The core signature scheme (without specific REST bindings) can be > tried out online if you want: https://mobilepki.org/jws-jcs/home > > Cheers, > Anders > > > > > > Den fre. 8. feb. 2019, 08:27 skrev Anders Rundgren < > > [email protected]>: > > > >> Since there is no IETF standard for signing REST requests and no > >> such activity in progress either, I took the liberty outlining > >> a minimalist proposal: > >> > >> > >> > https://github.com/cyberphone/json-canonicalization/blob/master/REST.signatures.md > >> > >> Comments are as always welcome! > >> > >> Anders > >> > > > > -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
