You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "David J. M. Karlsen (Jira)" <ji...@apache.org> on 2021/10/31 10:09:00 UTC
[jira] [Commented] (CXF-8535) Query missing from signature
request-target
[ https://issues.apache.org/jira/browse/CXF-8535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17436449#comment-17436449 ]
David J. M. Karlsen commented on CXF-8535:
------------------------------------------
[~coheigea] also https://github.com/apache/cxf/pull/869
> Query missing from signature request-target
> -------------------------------------------
>
> Key: CXF-8535
> URL: https://issues.apache.org/jira/browse/CXF-8535
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.3
> Reporter: Eirik Berntsen
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Labels: security
> Fix For: 3.4.4
>
>
> cxf-rt-rs-security-http-signature does not include the query while building the "request-target" component of the HTTP signatures, neither when generating signatures nor when validating them. It only includes the path.
> This is not in line with the spec that CXF claims support for: [https://tools.ietf.org/id/draft-cavage-http-signatures-10.html#rfc.section.2.3]. It links to [https://tools.ietf.org/html/rfc7540#section-8.1.2.3] which states:
> _"The ":path" pseudo-header field includes the path and query parts_
> _of the target URI"_
> Later versions of this spec makes this more clear and even has some examples showing the correct request-target for different URIs:
> [https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#name-request-target]
> This is currently breaking integration with other systems that include the query in the request-target.
> The fault seems to lie in org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)