cxf-rt-rs-security-http-signature does not include the query while building the "request-target" component of the HTTP signatures, neither when generating signatures nor when validating them. It only includes the path.
This is not in line with the spec that CXF claims support for: https://tools.ietf.org/id/draft-cavage-http-signatures-10.html#rfc.section.2.3. It links to https://tools.ietf.org/html/rfc7540#section-184.108.40.206 which states:
"The ":path" pseudo-header field includes the path and query parts
of the target URI"
Later versions of this spec makes this more clear and even has some examples showing the correct request-target for different URIs:
This is currently breaking integration with other systems that include the query in the request-target.
The fault seems to lie in org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor