The scope of the signature - i.e. the set of headers and optionally the body that are verified to be part of the signature - is specified by the configuration.
It is defined by the following properties:
- Digest: defines whether a hash value of the HTTP request body is added to the HTTP headers.
- Signature Header Verifications: defines the set of HTTP headers of the request that must be part of the signature. It supports the following types:
- Mandatory HTTP Signature Header: The header must be part of the signature unless an additional condition (presence of another header or presence of a request body) is not met.
- Whitelist HTTP Signature Header: Ensures that only the whitelisted headers are in the signature.
According to the STET specification (V1.4.1.3 - 20190115) - section 3.5 ("Applicative authentication") - the following settings should be used:
IAM Config Property | Value | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Digest | HTTP Instance Digest Verification with allowed algorithms SHA-256. | Ensures that the HTTP request body - if present - is hashed. The hash value is transferred as HTTP header Digest. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Signature Headers | Values of type Mandatory HTTP Signature Header:
| Ensure that HTTP headers are part of the signature. The STET specification states that the "Digest" header must always be present, even if there is no body in the request. The recommended setting, i.e. only require the Digest header if there is a body, may be more robust in practice. |