cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berto Murillo (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6572) OAuth2 Hawk Scheme requests
Date Mon, 31 Aug 2015 18:22:04 GMT

     [ https://issues.apache.org/jira/browse/CXF-6572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Berto Murillo updated CXF-6572:
-------------------------------
    Description: 
Hi,

References: https://github.com/hueniverse/hawk

Just a few general requests regarding the Hawk scheme.

1) It looks like the port being used in the Hawk digest is -1 if the port is unspecified.
 Is it possible to default to 80 for http and 443 for https instead of -1? For clients, I
don't think -1 is a standard behavior outside of Java if a port isn't specified and it can
be confusing.

2) It looks like per the Hawk website above, the header's normalization string should begin
with "hawk.1.header".

3) It would be great if request payload validation could be added.  It looks like that is
currently a spot where "" is being added in its place.  I want to ensure that the request
itself wasn't modified mid-request if using HTTP and not HTTPS.  https://github.com/hueniverse/hawk#payload-validation

Thanks!

  was:
Hi,

References: https://github.com/hueniverse/hawk

Just a few general requests regarding the Hawk scheme.

1) It looks like the port being used in the Hawk digest is -1 if the port is unspecified.
 Is it possible to default to 80 for http and 443 for https instead of -1? For clients, I
don't think -1 is a standard behavior outside of Java if a port isn't specified and it can
be confusing.

2) It looks like per the Hawk website above, the header's normalization string should begin
with "hawk.1.header".

3) It would be great if request payload validation could be added.  It looks like that is
currently a spot where "" is being added in its place.  I want to ensure that the request
itself wasn't changed outside of having to use HTTP.  https://github.com/hueniverse/hawk#payload-validation

Thanks!


> OAuth2 Hawk Scheme requests
> ---------------------------
>
>                 Key: CXF-6572
>                 URL: https://issues.apache.org/jira/browse/CXF-6572
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>            Reporter: Berto Murillo
>              Labels: oauth2, security
>
> Hi,
> References: https://github.com/hueniverse/hawk
> Just a few general requests regarding the Hawk scheme.
> 1) It looks like the port being used in the Hawk digest is -1 if the port is unspecified.
 Is it possible to default to 80 for http and 443 for https instead of -1? For clients, I
don't think -1 is a standard behavior outside of Java if a port isn't specified and it can
be confusing.
> 2) It looks like per the Hawk website above, the header's normalization string should
begin with "hawk.1.header".
> 3) It would be great if request payload validation could be added.  It looks like that
is currently a spot where "" is being added in its place.  I want to ensure that the request
itself wasn't modified mid-request if using HTTP and not HTTPS.  https://github.com/hueniverse/hawk#payload-validation
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message