You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@jclouds.apache.org by "Blagoi Anastasov (JIRA)" <ji...@apache.org> on 2018/12/18 12:12:00 UTC
[jira] [Created] (JCLOUDS-1476) AWS4 double authentication: query
string and headers
Blagoi Anastasov created JCLOUDS-1476:
-----------------------------------------
Summary: AWS4 double authentication: query string and headers
Key: JCLOUDS-1476
URL: https://issues.apache.org/jira/browse/JCLOUDS-1476
Project: jclouds
Issue Type: Bug
Components: jclouds-blobstore
Affects Versions: 2.1.1
Reporter: Blagoi Anastasov
Hi,
There is a problem when using AWSS3BlobRequestSignerV4.java signPutBLob(...) method as it turns out that the request which is returned is double signed(with query string, concatenated to the endpoint and also with headers). This happens when the blob object is created with payload(InputStream). It does not happen when the blob is with payload(File). I have examined it and it looks like when filtering the request in filter(HttpRequest request) method in RequestAuthorizeSignatureV4.java, as the payload is InputStream it is not repeatable by default so the filter(HttpRequest request) method goes for signForChunkedUpload(request) instead of signForAuthorizationHeader(request). And in this case the request returned is double signed. It has authorization headers and also authorization query string. It fails with:
Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError\{requestId='xxx', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
Here is also stack trace:
Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError\{requestId='6D61670538525FB9', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:75)
at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.shouldContinue(CustomJavaUrlHttpCommandExecutorService.java:125)
at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.invoke(CustomJavaUrlHttpCommandExecutorService.java:94)
at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:91)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:74)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:45)
at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
at com.sun.proxy.$Proxy174.invoke(Unknown Source)
It fails on invoke when trying to get a response from this request. But the problem is why the request is left to be double signed?
Best Regards,
Blago
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)