Help Center> API Gateway> Developer Guide (ME-Abu Dhabi Region)> Creating Signatures for Backend Requests> Java
Updated on 2023-05-24 GMT+08:00
View PDF

Java

Scenarios

To use Java to sign backend requests, obtain the Java SDK, import the project, and verify the backend signature by referring to the example provided in this section.

This section uses IntelliJ IDEA 2018.3.5 as an example.

Prerequisites

  • You have obtained the key and secret of the signature key to be used.
  • You have created a signature key on the APIG console and bound it to the API to be called. For more information, see section "Signature Keys" in the API Gateway User Guide.
  • Log in to the APIG console, and download the SDK on the SDKs page by referring to section "SDKs" in the API Gateway User Guide.
  • You have installed IntelliJ IDEA. If not, download IntelliJ IDEA from the official IntelliJ IDEA website and install it.
  • You have installed Java Development Kit (JDK) 1.8.111 or a later version. If not, download JDK from the official Oracle website and install it. JDK 17 or later is not supported.

Importing a Project

  1. Open IntelliJ IDEA, choose File > New > Project from Existing Sources, select the apigateway-backend-signature-demo\pom.xml file, and click OK.

    Figure 1 Select File or Directory to Import

  2. Retain the default settings, click Next for the following four steps, and then click Finish.
  3. On the Maven tab page on the right, double-click compile to compile the file.

    Figure 2 Compiling the project

    If the message "BUILD SUCCESS" is displayed, the compilation is successful.

  4. Right-click BackendSignatureApplication and choose Run.

    Figure 3 Running the BackendSignatureApplication service

    Modify the parameters in sample code ApigatewaySignatureFilter.java as required. For details about the sample code, see Backend Signature Verification Example.

Backend Signature Verification Example

This example demonstrates how to build a Spring boot–based server as the backend of an API and implement a filter to verify the signature of requests sent from APIG (API Management).

Signature information is added to requests sent to access the backend of an API only after a signature key is bound to the API.

  1. Compile a controller that matches all request paths and methods and set the return body to Hello World!

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    		 
    // HelloController.java

@RestController
@EnableAutoConfiguration
public class HelloController {

    @RequestMapping("/*")
    private String index() {
        return "Hello World!";
    }
}

  2. Compile a filter that matches all request paths and methods, and put the signature key and secret in a Map.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
    		 
    // ApigatewaySignatureFilter.java

@Component
@WebFilter(filterName = "ApigatewaySignatureFilter", urlPatterns = "/*")
public class ApigatewaySignatureFilter implements Filter {
    private static Map<String, String> secrets = new HashMap<>();
    static {
        secrets.put("signature_key1", "signature_secret1");
        secrets.put("signature_key2", "signature_secret2");
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) {
        //Signature verification code
        ...
    }
}

  3. To ensure that the body can be read in the filter and controller, wrap the request and send it to the filter and controller. The doFilter function is used for signature verification. For the implementation of wrapper classes, see RequestWrapper.java.

    1
    		 
    RequestWrapper request = new RequestWrapper((HttpServletRequest) servletRequest);

  4. Use a regular expression to parse the Authorization header to obtain signingKey and signedHeaders.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
    		 
    private static final Pattern authorizationPattern = Pattern.compile("SDK-HMAC-SHA256\\s+Access=([^,]+),\\s?SignedHeaders=([^,]+),\\s?Signature=(\\w+)");

...

String authorization = request.getHeader("Authorization");
if (authorization == null || authorization.length() == 0) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization not found.");
	return;
}

Matcher m = authorizationPattern.matcher(authorization);
if (!m.find()) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization format incorrect.");
	return;
}
String signingKey = m.group(1);
String signingSecret = secrets.get(signingKey);
if (signingSecret == null) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signing key not found.");
	return;
}
String[] signedHeaders = m.group(2).split(";");

    For example, for Authorization header:

    1
    		 
    SDK-HMAC-SHA256 Access=signature_key1, SignedHeaders=host;x-sdk-date, Signature=e11adf65a20d1b82c25419b5********8d0ba12fed1ceb13ed00

    The parsing result is as follows:

    1
2
    		 
    signingKey=signature_key1
signedHeaders=host;x-sdk-date

  5. Find signingSecret based on signingKey. If signingKey does not exist, the authentication failed.

    1
2
3
4
5
    		 
    String signingSecret = secrets.get(signingKey);
if (signingSecret == null) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signing key not found.");
	return;
}

  6. Create a request, and add the method, URL, query, and signedHeaders headers to the request. Determine whether the body needs to be set.

    The body is read if there is no x-sdk-content-sha256 header with value UNSIGNED-PAYLOAD. 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
    		 
    Request apiRequest = new DefaultRequest();
apiRequest.setHttpMethod(HttpMethodName.valueOf(request.getMethod()));
String url = request.getRequestURL().toString();
String queryString = request.getQueryString();
try {
	apiRequest.setEndpoint((new URL(url)).toURI());
	Map<String, String> parametersmap = new HashMap<>();
	if (null != queryString && !"".equals(queryString)) {
		String[] parameterarray = queryString.split("&");
		for (String p : parameterarray) {
			String[] p_split = p.split("=", 2);
			String key = p_split[0];
			String value = "";
			if (p_split.length >= 2) {
				value = p_split[1];
			}
			parametersmap.put(URLDecoder.decode(key, "UTF-8"), URLDecoder.decode(value, "UTF-8"));
		}
		apiRequest.setParameters(parametersmap); //set query
	}
} catch (URISyntaxException e) {
	e.printStackTrace();
}

boolean needbody = true;
String dateHeader = null;
for (int i = 0; i < signedHeaders.length; i++) {
	String headerValue = request.getHeader(signedHeaders[i]);
	if (headerValue == null || headerValue.length() == 0) {
		((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "signed header" + signedHeaders[i] + " not found.");
	} else {
		apiRequest.addHeader(signedHeaders[i], headerValue);//set header
		if (signedHeaders[i].toLowerCase().equals("x-sdk-content-sha256") && headerValue.equals("UNSIGNED-PAYLOAD")) {
			needbody = false;
		}
		if (signedHeaders[i].toLowerCase().equals("x-sdk-date")) {
			dateHeader = headerValue;
		}
	}
}

if (needbody) {
        apiRequest.setContent(new ByteArrayInputStream(request.getBody()));    //set body
}

  7. Check whether the signature has expired. Obtain the time from the X-Sdk-Date header, and check whether the difference between this time and the server time is within 15 minutes. If signedHeaders does not contain X-Sdk-Date, the authentication failed.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    		 
    private static final DateTimeFormatter timeFormatter = DateTimeFormat.forPattern("yyyyMMdd'T'HHmmss'Z'").withZoneUTC();

...

if (dateHeader == null) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Header x-sdk-date not found.");
	return;
}
long date = timeFormatter.parseMillis(dateHeader);
long duration = Math.abs(DateTime.now().getMillis() - date);
if (duration > 15 * 60 * 1000) {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Signature expired.");
	return;
}

  8. Add the Authorization header to the request, and invoke the verify method to verify the request signature. If the verification is successful, the next filter is executed. Otherwise, the authentication failed.

    1
2
3
4
5
6
7
    		 
    DefaultSigner signer = (DefaultSigner) SignerFactory.getSigner();
boolean verify = signer.verify(apiRequest, new BasicCredentials(signingKey, signingSecret));
if (verify) {
	chain.doFilter(request, response);
} else {
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "verify authroization failed.");
}

  9. Run the server to verify the code. The following example uses the HTML signature tool in the JavaScript SDK to generate a signature.

    Set the parameters according to the following figure, and click Send request. Copy the generated curl command, execute it in the CLI, and check whether the server returns Hello World!

    If an incorrect key or secret is used, the server returns 401, which means authentication failure.