IntroductionCXF adds support for the HTTP Signatures draft spec since CXF 3.3.0. This provides an alternative to providing message integrity other than XML Security and JOSE, and in fact provides a stronger measure of message integrity as it allows the incorporation of HTTP headers in the signature, including the HTTP method and path. Maven DependenciesThe following dependency is required to use CXF's HTTP Signature implementation. <dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-security-http-signature</artifactId> <version>3.3.2</version> </dependency> ConfigurationCXF supports HTTP Signature creation and verification on both the client and service side. Payload integrity is supported by digesting the payload and inserting the result into a "Digest" header, which is also signed by HTTP Signature. ProvidersTo enable HTTP Signature in CXF, it is necessary to add one of the following providers to the client or endpoint:
For example in code: WebClient Config CreateSignatureInterceptor signatureFilter = new CreateSignatureInterceptor();
String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
WebClient client =
WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());
and in Spring: Spring Config <bean id="httpSignatureVerifier" class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter">
<property name="messageVerifier" ref="messageVerifier"/>
</bean>
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsig">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="httpSignatureVerifier"/>
</jaxrs:providers>
</jaxrs:server>
Fine grained ConfigurationAs well as adding the desired providers (see above), we need to configure them (for example the keys to use, the headers to sign, etc.). There are two options for doing this. In this section we'll look at configuring the providers directly, which allows for a more fine-grained configuration. See below for an alternative using configuration properties that retrieves keys from keystores. For outbound signature we need to configure the CreateSignatureInterceptor provider with a MessageSigner instance. The MessageSigner contains a number of different constructors that can be used depending on the desired functionality. At a minimum, we need to supply the PrivateKey instance to sign the message, as well as the "Key Id" as defined in the spec. We can also supply the signature algorithm name - if not specified this defaults to "rsa-sha256". Similarly we can supply the security provider name, which defaults to "SunRsaSign". We can also supply a list of HTTP headers to sign. By default it signs all of the HTTP headers that are made available to it by CXF. On the client side it will also sign the HTTP method and Path via "(request-target)". Here is an example from the tests: CreateSignatureInterceptor signatureFilter = new CreateSignatureInterceptor();
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()),
"password".toCharArray());
PrivateKey privateKey = (PrivateKey)keyStore.getKey("alice", "password".toCharArray());
assertNotNull(privateKey);
MessageSigner messageSigner = new MessageSigner(keyId -> privateKey, "alice-key-id");
signatureFilter.setMessageSigner(messageSigner);
String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
WebClient client =
WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());
client.type("application/xml").accept("application/xml");
For signature verification, we need to supply the VerifySignatureClientFilter and VerifySignatureFilter instances with a MessageVerifier instance. At a minimum, we need to configure the MessageVerifier with a KeyProvider instance, which is an interface which supplies the key required to verify the signature given the "Key Id" present in the message. As per MessageSigner, we can also specify the signature algorithm that is required, as well as the Security Provider. It defaults to the same values as documented for MessageSigner above. We can also specify a list of HTTP headers which must be signed. In addition to this list, the default behavior is to require that the "digest" header is signed (unless a service request with a HTTP method of GET or HEAD, and also unless a service response and the status is 204 or not "OK"), as well as the "(request-target)" header for a client request. This default behaviour can be disabled by setting the boolean addDefaultRequiredHeaders property of MessageVerifier to false. Here is an example from the tests: <bean id="publicKeyProvider" class="org.apache.cxf.systest.jaxrs.security.httpsignature.CustomPublicKeyProvider"/>
<bean id="messageVerifier" class="org.apache.cxf.rs.security.httpsignature.MessageVerifier">
<constructor-arg>
<ref bean="publicKeyProvider"/>
</constructor-arg>
<constructor-arg>
<util:list>
<value>(request-target)</value>
</util:list>
</constructor-arg>
</bean>
<bean id="httpSignatureVerifier" class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter">
<property name="messageVerifier" ref="messageVerifier"/>
</bean>
<jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsig">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="httpSignatureVerifier"/>
</jaxrs:providers>
</jaxrs:server>
Configuration PropertiesAn alternative to configure the MessageSigner, MessageVerifier instances as documented in the previous section is to use the following security configuration properties instead. These properties rely on obtaining the private keys to sign the messages, as well as the public keys used to verify the messages, from a keystore stored in the local filesystem. Note that the "Key Id" is ignored, we verify the message using the public key defined in the configuration properties. The following configuration properties can be used to configure HTTP Signature with the various filters. Note that they are shared for the most part with JAX-RS JOSE.
Here is a Java example: List<Object> providers = new ArrayList<>();
providers.add(new CreateSignatureInterceptor());
providers.add(new VerifySignatureClientFilter());
String address = "http://localhost:" + PORT + "/httpsigresponse/bookstore/books";
WebClient client = WebClient.create(address, providers, busFile.toString());
client.type("application/xml").accept("application/xml");
Map<String, Object> properties = new HashMap<>();
properties.put("rs.security.signature.out.properties",
"org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties");
properties.put("rs.security.signature.in.properties",
"org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties");
WebClient.getConfig(client).getRequestContext().putAll(properties);
where "alice.httpsig.properties" looks like: rs.security.keystore.type=jks rs.security.keystore.password=password rs.security.keystore.alias=alice rs.security.keystore.file=keys/alice.jks rs.security.key.password=password rs.security.http.signature.key.id=alice-key-id Here is a spring example: <jaxrs:server address="http://localhost:${testutil.ports.jaxrs-httpsignature}/httpsigresponseprops">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<bean class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter" />
<bean class="org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor" />
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.signature.in.properties"
value="org/apache/cxf/systest/jaxrs/security/httpsignature/alice.httpsig.properties" />
<entry key="rs.security.signature.out.properties"
value="org/apache/cxf/systest/jaxrs/security/httpsignature/bob.httpsig.properties" />
</jaxrs:properties>
</jaxrs:server>
|
