HTTP Message Signing

Java Implementation of the IETF draft for HTTP Message Signing. It provides bridges with the following libraries:

• Apache HTTP Components 4.x

• OkHttp 3.x

• Java Servlet 3.x and 4.x

Latest release

The most recent release is http-messages-signing 1.0.0, released 2018-02-20 and available on Maven central. Javadoc is available.

To add a dependency on http-messages-signing using Maven, use the following:

<dependency>
  <groupId>tech.barbero.http-messages-signing</groupId>
  <artifactId>http-messages-signing-core</artifactId>
  <version>1.0.0</version>
</dependency>

To add a dependency using Gradle:

dependencies {
  compile 'tech.barbero.http-messages-signing:http-messages-signing:1.0.0'
}

And one of the bridge if required.

Apache HTTP Component 4.x

<dependency>
  <groupId>tech.barbero.http-messages-signing</groupId>
  <artifactId>http-messages-signing-ahc4</artifactId>
  <version>1.0.0</version>
</dependency>

dependencies {
  compile 'tech.barbero.http-messages-signing:http-messages-signing-ahc4:1.0.0'
}

OkHttp 3.x

<dependency>
  <groupId>tech.barbero.http-messages-signing</groupId>
  <artifactId>http-messages-signing-okhttp3</artifactId>
  <version>1.0.0</version>
</dependency>

dependencies {
  compile 'tech.barbero.http-messages-signing:http-messages-signing-okhttp3:1.0.0'
}

Servlet 3.x, 4.x

<dependency>
  <groupId>tech.barbero.http-messages-signing</groupId>
  <artifactId>http-messages-signing-servlet</artifactId>
  <version>1.0.0</version>
</dependency>

dependencies {
  compile 'tech.barbero.http-messages-signing:http-messages-signing-servlet:1.0.0'
}

Snapshots

Snapshots of http-messages-signing built from the master branch are available on Sonatype Snapshot Repository. Javadoc is available.

Recipes

Create a HTTP messages signer

HttpMessageSigner signer = HttpMessageSigner.builder()
		.algorithm(Algorithm.RSA_SHA256)
		.keyMap(keyMap)
		.addHeaderToSign(HttpMessageSigner.REQUEST_TARGET)
		.addHeaderToSign("Date")
		.addHeaderToSign("Content-Length")
		.addHeaderToSign("Digest")
		.keyId("myKeyId")
		.build();

Signing an Apache HttpCore request

HttpClientBuilder builder = HttpClientBuilder.create();
builder.addLast(new RequestSignature(signer));
try (CloseableHttpClient client = builder.build()) {
	HttpGet httpget = new HttpGet(uri);
	try (CloseableHttpResponse response = httpclient.execute(httpget)) {
		...
	}
}

Signing an OkHttp request

OkHttpClient client = new OkHttpClient.Builder()
		.addInterceptor(new SignerInterceptor(signer))
		.build();

Request request = new Request.Builder()
		.url(url)
		.build();

try (Response response = client.newCall(request).execute()) {
	...
}

Requirements

Java 8

Build

$ mvn clean install

About

Copyright (c) 2017-2018 Eclipse Foundation and others.

Eclipse and the Eclipse logo are registered trademarks of The Eclipse Foundation.

Java and all Java-based trademarks are trademarks of Oracle Corporation in the United States, other countries, or both.

This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at https://www.eclipse.org/legal/epl-2.0/

Content may contain encryption software. The country in which you are currently may have restrictions on the import, possession, and use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check the country’s laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted.