[CXF-8535] Query missing from signature request-target - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.3
Fix Version/s: 3.4.4
Component/s: JAX-RS Security
Labels:
- security

Estimated Complexity:
Novice

Description

cxf-rt-rs-security-http-signature does not include the query while building the "request-target" component of the HTTP signatures, neither when generating signatures nor when validating them. It only includes the path.

This is not in line with the spec that CXF claims support for: https://tools.ietf.org/id/draft-cavage-http-signatures-10.html#rfc.section.2.3. It links to https://tools.ietf.org/html/rfc7540#section-8.1.2.3 which states:
"The ":path" pseudo-header field includes the path and query parts
of the target URI"

Later versions of this spec makes this more clear and even has some examples showing the correct request-target for different URIs:
https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#name-request-target

This is currently breaking integration with other systems that include the query in the request-target.

The fault seems to lie in org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor

Attachments

Issue Links

links to

GitHub Pull Request #794

GitHub Pull Request #795

GitHub Pull Request #869

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Eirik Berntsen

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 04/May/21 12:58

Updated:: 22/Dec/21 20:43

Resolved:: 27/May/21 15:06