Java

Scenarios

To use Java to sign backend requests, obtain the Java SDK, import the project, and verify the backend signature by referring to the example provided in this section.

This section uses IntelliJ IDEA 2018.3.5 as an example.

Prerequisites

• You have created a signature key on the APIG console and bound it to the API to be called. For more information, see Creating and Using a Signature Key.
• You have obtained the signature key and secret. For details, see Pre-signature Preparations.
• In the APIG console, download the SDK on the SDKs page by referring to section "SDKs" in the API Gateway User Guide. 3.1.2 is recommended.
• You have obtained apigateway-backend-signature-demo.
• You have installed IntelliJ IDEA 2018.3.5 or a later version. If not, download it from the official IntelliJ IDEA website and install it.

• You have installed Java Development Kit (JDK) 1.8.111 or a later version. If not, download JDK from the official Oracle website and install it. JDK 17 or later is not supported.

Importing a Project

1. Open IntelliJ IDEA, choose File > New > Project from Existing Sources, select the apigateway-backend-signature-demo\pom.xml file, and click OK.
   Figure 1 Select File or Directory to Import
   

2. Retain the default settings, click Next for the following four steps, and then click Finish.
3. On the Maven tab page on the right, double-click compile to compile the file.
   Figure 2 Compiling the project
   

   If the message "BUILD SUCCESS" is displayed, the compilation is successful.

   

4. Right-click BackendSignatureApplication and choose Run.
   Figure 3 Running the BackendSignatureApplication service
   

   Modify the parameters in sample code ApigatewaySignatureFilter.java as required. For details about the sample code, see Backend Signature Verification Example.

Backend Signature Verification Example

This example demonstrates how to build a Spring boot–based server as the backend of an API and implement a filter to verify the signature of requests sent from APIG (API Management).

Signature information is added to requests sent to access the backend of an API only after a signature key is bound to the API.

1. Compile a controller that matches all request paths and methods and set the return body to Hello World!

   1 2 3 4 5 6 7 8 9 10 11

   // HelloController.java @RestController @EnableAutoConfiguration public class HelloController { @RequestMapping("/*") private String index() { return "Hello World!"; } }

2. Compile a filter that matches all request paths and methods, and put the signature key and secret in a Map.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

   // ApigatewaySignatureFilter.java @Component @WebFilter(filterName = "ApigatewaySignatureFilter", urlPatterns = "/*") public class ApigatewaySignatureFilter implements Filter { private static Map<String, String> secrets = new HashMap<>(); static { // Hard-coded or plaintext AK/SK is risky. For security, encrypt your AK/SK and store them in the configuration file or environment variables. // In this example, the AK/SK stored in the environment variables are used. Configure variables HUAWEICLOUD_SDK_AK1, HUAWEICLOUD_SDK_SK1, HUAWEICLOUD_SDK_AK2, and HUAWEICLOUD_SDK_SK2 in the local environment first. secrets.put(System.getenv("HUAWEICLOUD_SDK_AK1"), System.getenv("HUAWEICLOUD_SDK_SK1")); secrets.put(System.getenv("HUAWEICLOUD_SDK_AK2"), System.getenv("HUAWEICLOUD_SDK_SK2")); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) { //Signature verification code ... } }

3. To ensure that the body can be read in the filter and controller, wrap the request and send it to the filter and controller. The doFilter function is used for signature verification. For the implementation of wrapper classes, see RequestWrapper.java.

   1	RequestWrapper request = new RequestWrapper((HttpServletRequest) servletRequest);

4. Use a regular expression to parse the Authorization header to obtain signingKey and signedHeaders.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

   private static final Pattern authorizationPattern = Pattern.compile("SDK-HMAC-SHA256\\s+Access=([^,]+),\\s?SignedHeaders=([^,]+),\\s?Signature=(\\w+)"); ... String authorization = request.getHeader("Authorization"); if (authorization == null || authorization.length() == 0) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization not found."); return; } Matcher m = authorizationPattern.matcher(authorization); if (!m.find()) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization format incorrect."); return; } String signingKey = m.group(1); String signingSecret = secrets.get(signingKey); if (signingSecret == null) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signing key not found."); return; } String[] signedHeaders = m.group(2).split(";");

   For example, for Authorization header:

   1	SDK-HMAC-SHA256 Access=signature_key1, SignedHeaders=host;x-sdk-date, Signature=e11adf65a20d1b82c25419b5********8d0ba12fed1ceb13ed00

   The parsing result is as follows:

   1 2	signingKey=signature_key1 signedHeaders=host;x-sdk-date

5. Find signingSecret based on signingKey. If signingKey does not exist, the authentication failed.

   1 2 3 4 5

   String signingSecret = secrets.get(signingKey); if (signingSecret == null) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signing key not found."); return; }

6. Create a request, and add the method, URL, query, and signedHeaders headers to the request. Determine whether the body needs to be set.
   The body is read if there is no x-sdk-content-sha256 header with value UNSIGNED-PAYLOAD.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

   Request apiRequest = new DefaultRequest(); apiRequest.setHttpMethod(HttpMethodName.valueOf(request.getMethod())); String url = request.getRequestURL().toString(); String queryString = request.getQueryString(); try { apiRequest.setEndpoint((new URL(url)).toURI()); Map<String, String> parametersmap = new HashMap<>(); if (null != queryString && !"".equals(queryString)) { String[] parameterarray = queryString.split("&"); for (String p : parameterarray) { String[] p_split = p.split("=", 2); String key = p_split[0]; String value = ""; if (p_split.length >= 2) { value = p_split[1]; } parametersmap.put(URLDecoder.decode(key, "UTF-8"), URLDecoder.decode(value, "UTF-8")); } apiRequest.setParameters(parametersmap); //set query } } catch (URISyntaxException e) { e.printStackTrace(); } boolean needbody = true; String dateHeader = null; for (int i = 0; i < signedHeaders.length; i++) { String headerValue = request.getHeader(signedHeaders[i]); if (headerValue == null || headerValue.length() == 0) { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "signed header" + signedHeaders[i] + " not found."); } else { apiRequest.addHeader(signedHeaders[i], headerValue);//set header if (signedHeaders[i].toLowerCase().equals("x-sdk-content-sha256") && headerValue.equals("UNSIGNED-PAYLOAD")) { needbody = false; } if (signedHeaders[i].toLowerCase().equals("x-sdk-date")) { dateHeader = headerValue; } } } if (needbody) { apiRequest.setContent(new ByteArrayInputStream(request.getBody())); //set body }

7. Check whether the signature has expired. Obtain the time from the X-Sdk-Date header, and check whether the difference between this time and the server time is within 15 minutes. If signedHeaders does not contain X-Sdk-Date, the authentication failed.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   private static final DateTimeFormatter timeFormatter = DateTimeFormat.forPattern("yyyyMMdd'T'HHmmss'Z'").withZoneUTC(); ... if (dateHeader == null) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Header x-sdk-date not found."); return; } long date = timeFormatter.parseMillis(dateHeader); long duration = Math.abs(DateTime.now().getMillis() - date); if (duration > 15 * 60 * 1000) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signature expired."); return; }

8. Add the Authorization header to the request, and invoke the verify method to verify the request signature. If the verification is successful, the next filter is executed. Otherwise, the authentication failed.

   1 2 3 4 5 6 7 8 9 10

   apiRequest.addHeader("authorization", authorization); apiRequest.setKey(signingKey); apiRequest.setSecret(signingSecret); Signer signer = new Signer(); boolean verify = signer.verify(apiRequest); if (verify) { chain.doFilter(request, response); } else { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Verify authroization failed."); }

9. Run the server to verify the code. The following example uses the HTML signature tool in the JavaScript SDK to generate a signature.

   Set the parameters according to the following figure, and click Send request. Copy the generated curl command, execute it in the CLI, and check whether the server returns Hello World!

   If an incorrect key or secret is used, the server returns 401, which means authentication failure.