diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2020-09-30 12:02:25 +0200 |
---|---|---|
committer | Øyvind Grønnesby <oyving@verizonmedia.com> | 2020-09-30 12:02:25 +0200 |
commit | 7f11e8043773bbef8f03c6b864b2bbbb5938b734 (patch) | |
tree | c1199ada8be3bdc8aba44537832b8e2b61f65fa6 | |
parent | ff205ce5e2eccafeb0957007fb2671f1488e57c3 (diff) |
Comment where payload is checkted in SignatureFilter
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java index 1f515035fe7..acacdce9e8d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/SignatureFilter.java @@ -65,6 +65,11 @@ public class SignatureFilter extends JsonSecurityRequestFilterBase { } private boolean keyVerifies(PublicKey key, DiscFilterRequest request) { + /* This method only checks that the content hash has been signed by the provided public key, but + * does not verify the content of the request. jDisc request filters do not allow inspecting the + * request body, so this responsibility falls on the handler consuming the body instead. For this + * specific case the request body is validated in {@link ApplicationApiHandler.parseDataParts}. + */ return new RequestVerifier(key, controller.clock()).verify(Method.valueOf(request.getMethod()), request.getUri(), request.getHeader("X-Timestamp"), |