You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@jclouds.apache.org by "Blagoi Anastasov (JIRA)" <ji...@apache.org> on 2019/01/03 15:21:00 UTC

[jira] [Commented] (JCLOUDS-1476) AWS4 double authentication: query string and headers

    [ https://issues.apache.org/jira/browse/JCLOUDS-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733147#comment-16733147 ] 

Blagoi Anastasov commented on JCLOUDS-1476:
-------------------------------------------

Strange that when I upload to S3(not amazon) endpoint also using V4 Signature, it passes with response 200 and the file is uploaded successfully. It happens only when I point to amazon s3 endpoint. Do you have any suggestions?

> AWS4 double authentication: query string and headers
> ----------------------------------------------------
>
>                 Key: JCLOUDS-1476
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1476
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-blobstore
>    Affects Versions: 2.1.1
>            Reporter: Blagoi Anastasov
>            Priority: Major
>
> Hi,
> There is a problem when using AWSS3BlobRequestSignerV4.java signPutBLob(...) method as it turns out that the request which is returned is double signed(with query string, concatenated to the endpoint and also with headers). This happens when the blob object is created with payload(InputStream). It does not happen when the blob is with payload(File). I have examined it and it looks like when filtering the request in filter(HttpRequest request) method in RequestAuthorizeSignatureV4.java, as the payload is InputStream it is not repeatable by default so the filter(HttpRequest request) method goes for signForChunkedUpload(request) instead of signForAuthorizationHeader(request). And in this case the request returned is double signed. It has authorization headers and also authorization query string. It fails with:
> Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError\{requestId='xxx', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
>  
> Here is also stack trace:
>  
> Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError\{requestId='6D61670538525FB9', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
>  at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:75)
>  at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
>  at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.shouldContinue(CustomJavaUrlHttpCommandExecutorService.java:125)
>  at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.invoke(CustomJavaUrlHttpCommandExecutorService.java:94)
>  at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:91)
>  at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:74)
>  at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:45)
>  at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
>  at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
>  at com.sun.proxy.$Proxy174.invoke(Unknown Source)
>  
> It fails on invoke when trying to get a response from this request. But the problem is why the request is left to be double signed?
>  
> Best Regards,
> Blago



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)