jclouds-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Blagoi Anastasov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCLOUDS-1476) AWS4 double authentication: query string and headers
Date Thu, 03 Jan 2019 15:21:00 GMT

    [ https://issues.apache.org/jira/browse/JCLOUDS-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733147#comment-16733147
] 

Blagoi Anastasov commented on JCLOUDS-1476:
-------------------------------------------

Strange that when I upload to S3(not amazon) endpoint also using V4 Signature, it passes with
response 200 and the file is uploaded successfully. It happens only when I point to amazon
s3 endpoint. Do you have any suggestions?

> AWS4 double authentication: query string and headers
> ----------------------------------------------------
>
>                 Key: JCLOUDS-1476
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1476
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-blobstore
>    Affects Versions: 2.1.1
>            Reporter: Blagoi Anastasov
>            Priority: Major
>
> Hi,
> There is a problem when using AWSS3BlobRequestSignerV4.java signPutBLob(...) method as
it turns out that the request which is returned is double signed(with query string, concatenated
to the endpoint and also with headers). This happens when the blob object is created with
payload(InputStream). It does not happen when the blob is with payload(File). I have examined
it and it looks like when filtering the request in filter(HttpRequest request) method in RequestAuthorizeSignatureV4.java,
as the payload is InputStream it is not repeatable by default so the filter(HttpRequest request)
method goes for signForChunkedUpload(request) instead of signForAuthorizationHeader(request).
And in this case the request returned is double signed. It has authorization headers and also
authorization query string. It fails with:
> Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx
HTTP/1.1 failed with code 400, error: AWSError\{requestId='xxx', requestToken='xxx', code='InvalidArgument',
message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature
query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256
Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length,
Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
>  
> Here is also stack trace:
>  
> Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx
HTTP/1.1 failed with code 400, error: AWSError\{requestId='6D61670538525FB9', requestToken='xxx',
code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm
query parameter, Signature query string parameter or the Authorization header should be specified',
context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request,
SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length,
Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}
>  at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:75)
>  at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
>  at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.shouldContinue(CustomJavaUrlHttpCommandExecutorService.java:125)
>  at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.invoke(CustomJavaUrlHttpCommandExecutorService.java:94)
>  at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:91)
>  at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:74)
>  at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:45)
>  at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
>  at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
>  at com.sun.proxy.$Proxy174.invoke(Unknown Source)
>  
> It fails on invoke when trying to get a response from this request. But the problem is
why the request is left to be double signed?
>  
> Best Regards,
> Blago



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message