Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8535

Query missing from signature request-target

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.3
    • Fix Version/s: 3.4.4
    • Component/s: JAX-RS Security
    • Labels:
    • Estimated Complexity:
      Novice

      Description

      cxf-rt-rs-security-http-signature does not include the query while building the "request-target" component of the HTTP signatures, neither when generating signatures nor when validating them. It only includes the path.

      This is not in line with the spec that CXF claims support for: https://tools.ietf.org/id/draft-cavage-http-signatures-10.html#rfc.section.2.3. It links to https://tools.ietf.org/html/rfc7540#section-8.1.2.3 which states:
      "The ":path" pseudo-header field includes the path and query parts
      of the target URI"

      Later versions of this spec makes this more clear and even has some examples showing the correct request-target for different URIs:
      https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#name-request-target

      This is currently breaking integration with other systems that include the query in the request-target.

      The fault seems to lie in org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor

       

       

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              eirik.berntsen Eirik Berntsen

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment