Skip to content

Disable payload signing for https requests #6691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
RanVaknin wants to merge 5 commits into from
Closed

Disable payload signing for https requests #6691

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2d34fd3
Disable payload signing for HTTPS requests
RanVaknin Jan 27, 2026
04ba7d4
Update Javadoc
RanVaknin Jan 27, 2026
8e59fcd
Add changelog
RanVaknin Jan 27, 2026
5501942
Fix tests with new default behavior
RanVaknin Jan 27, 2026
e92f447
Fix tangential fixture tests, fix javadoc, fix ChecksumUtil logic
RanVaknin Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changes/next-release/feature-AWSSDKforJavav2-c710394.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"type": "feature",
"category": "AWS SDK for Java v2",
"contributor": "",
"description": "HTTPS requests now skip payload signing by default for improved performance. HTTP and signing-dependent features are unaffected."
}
27 changes: 22 additions & 5 deletions ...src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/util/ChecksumUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.util.Locale;
import java.util.Objects;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.checksums.SdkChecksum;
import software.amazon.awssdk.checksums.spi.ChecksumAlgorithm;
Expand Down Expand Up @@ -134,23 +135,39 @@ public static boolean useChunkEncoding(boolean payloadSigningEnabled, boolean ch

public static boolean isPayloadSigning(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request) {
boolean isAnonymous = CredentialUtils.isAnonymous(request.identity());
boolean isPayloadSigningEnabled = request.requireProperty(PAYLOAD_SIGNING_ENABLED, true);
Boolean payloadSigningEnabled = request.property(PAYLOAD_SIGNING_ENABLED);
boolean isEncrypted = "https".equals(request.request().protocol());
boolean hasPayload = request.payload().isPresent();

if (isAnonymous) {
return false;
}

// presigning requests should always have a null payload, and should always be unsigned-payload
if (!isEncrypted && request.payload().isPresent()) {
if (!isPayloadSigningEnabled) {
if (payloadSigningEnabled != null) {
// presigning requests should always have a null payload, and should always be unsigned-payload
if (!isEncrypted && hasPayload && !payloadSigningEnabled) {
Copy link
Copy Markdown
Contributor

@zoewangg zoewangg Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If payloadSigningEnabled is not null, i.e., configured by the user or set on the service model, should we always enable payload signing regardless of isEncrypted?

log.debug(() -> "Payload signing was disabled for an HTTP request with a payload. " +
"Signing will be enabled. Use HTTPS for unsigned payloads.");
return true;
}
return payloadSigningEnabled;
}

if (Objects.equals(request.property(CHUNK_ENCODING_ENABLED), Boolean.TRUE)) {
return true;
}

if (isEventStreaming(request.request())) {
return true;
}
Comment thread
RanVaknin marked this conversation as resolved.
Outdated

return isPayloadSigningEnabled;
// For HTTPS, skip payload signing by default
if (isEncrypted) {
return false;
}

// For HTTP, sign payload by default
return hasPayload;
}

public static boolean isEventStreaming(SdkHttpRequest request) {
Expand Down
15 changes: 9 additions & 6 deletions ...-aws/src/main/java/software/amazon/awssdk/http/auth/aws/signer/AwsV4FamilyHttpSigner.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,16 @@ public interface AwsV4FamilyHttpSigner<T extends Identity> extends HttpSigner<T>
SignerProperty.create(AwsV4FamilyHttpSigner.class, "ExpirationDuration");

/**
* Whether to indicate that a payload is signed or not. This property defaults to true. This can be set false to disable
* payload signing.
* Whether to indicate that a payload is signed or not.
* <p>
* When this value is true and {@link #CHUNK_ENCODING_ENABLED} is false, the whole payload must be read to generate
* the payload signature. For very large payloads, this could impact memory usage and call latency. Some services
* support this value being disabled, especially over HTTPS where SSL provides some of its own protections against
* payload tampering.
* <b>Default behavior (when not explicitly set):</b>
* <ul>
* <li>HTTPS requests: Payload signing is <b>disabled</b> by default for better performance</li>
* <li>HTTP requests: Payload signing is <b>enabled</b> by default for security</li>
* </ul>
* <p>
* <b>Note:</b> Certain features require payload signing regardless of this setting:
* chunk encoding ({@link #CHUNK_ENCODING_ENABLED}), event streaming, and flexible checksums with trailers.
Comment thread
RanVaknin marked this conversation as resolved.
Outdated
*/
SignerProperty<Boolean> PAYLOAD_SIGNING_ENABLED =
SignerProperty.create(AwsV4FamilyHttpSigner.class, "PayloadSigningEnabled");
Expand Down
4 changes: 2 additions & 2 deletions ...tware/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSignerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ void sign_withBasicRequest_shouldSignWithHeaders() {
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Date")).hasValue("20200803T174823Z");
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Region-Set")).hasValue("aws-global");
assertThat(signedRequest.request().firstMatchingHeader("Authorization")).isPresent();
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).contains(PAYLOAD_SHA256_HEX);
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
Copy link
Copy Markdown
Contributor Author

@RanVaknin RanVaknin Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing default behavior

}

@Test
Expand Down Expand Up @@ -172,7 +172,7 @@ void signAsync_withBasicRequest_shouldSignWithHeaders() {
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Date")).hasValue("20200803T174823Z");
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Region-Set")).hasValue("aws-global");
assertThat(signedRequest.request().firstMatchingHeader("Authorization")).isPresent();
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).contains(PAYLOAD_SHA256_HEX);
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
Copy link
Copy Markdown
Contributor Author

@RanVaknin RanVaknin Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing default behavior

}

@Test
Expand Down
98 changes: 98 additions & 0 deletions ...java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSignerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.stream.Collectors;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
Expand Down Expand Up @@ -979,6 +980,103 @@ void signAsync_WithPayloadSigningFalse_chunkEncodingTrue_noContentLengthHeader_t
.hasMessageContaining("Content-Length header must be specified");
}

@Test
void sign_WithHttpsAndNoProperties_UsesUnsignedPayload() {
SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
},
signRequest -> {
}
);

SignedRequest signedRequest = signer.sign(request);

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
}

@Test
void asyncSign_WithHttpsAndNoProperties_UsesUnsignedPayload() {
AsyncSignRequest<? extends AwsCredentialsIdentity> request = generateBasicAsyncRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
},
signRequest -> {
}
);

AsyncSignedRequest signedRequest = signer.signAsync(request).join();

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
}

@Test
void sign_WithHttpsExplicitSigning_SignsPayload() {
SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
},
signRequest -> {
signRequest.putProperty(PAYLOAD_SIGNING_ENABLED, true);
}
);

byte[] sha256Value = computeChecksum(SHA256, testPayload());
SignedRequest signedRequest = signer.sign(request);

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue(BinaryUtils.toHex(sha256Value));
}

@Test
void asyncSign_WithHttpsExplicitSigning_SignsPayload() {
AsyncSignRequest<? extends AwsCredentialsIdentity> request = generateBasicAsyncRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
},
signRequest -> {
signRequest.putProperty(PAYLOAD_SIGNING_ENABLED, true);
}
);

byte[] sha256Value = computeChecksum(SHA256, testPayload());
AsyncSignedRequest signedRequest = signer.signAsync(request).join();

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue(BinaryUtils.toHex(sha256Value));
}

@Test
void sign_WithHTTPAndNoProperties_SignsPayload() {
SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
httpRequest.uri(URI.create("http://demo.us-east-1.amazonaws.com"));
},
signRequest -> {
}
);

byte[] sha256Value = computeChecksum(SHA256, testPayload());
SignedRequest signedRequest = signer.sign(request);

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue(BinaryUtils.toHex(sha256Value));
}

@Test
void asyncSign_WithHTTPAndNoProperties_UsesSignsPayload() {
AsyncSignRequest<? extends AwsCredentialsIdentity> request = generateBasicAsyncRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> {
httpRequest.uri(URI.create("http://demo.us-east-1.amazonaws.com"));
},
signRequest -> {
}
);

byte[] sha256Value = computeChecksum(SHA256, testPayload());
AsyncSignedRequest signedRequest = signer.signAsync(request).join();

assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue(BinaryUtils.toHex(sha256Value));
}

private static byte[] computeChecksum(ChecksumAlgorithm algorithm, byte[] data) {
SdkChecksum checksum = SdkChecksum.forAlgorithm(algorithm);
Expand Down
38 changes: 38 additions & 0 deletions ...test/java/software/amazon/awssdk/http/auth/aws/internal/signer/util/ChecksumUtilTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,30 @@
import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.MD5;
import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.SHA1;
import static software.amazon.awssdk.checksums.DefaultChecksumAlgorithm.SHA256;
import static software.amazon.awssdk.http.auth.aws.TestUtils.generateBasicRequest;
import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.checksumHeaderName;
import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.fromChecksumAlgorithm;
import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.isPayloadSigning;
import static software.amazon.awssdk.http.auth.aws.internal.signer.util.ChecksumUtil.readAll;
import static software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner.PAYLOAD_SIGNING_ENABLED;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.net.URI;
import java.util.stream.Stream;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import org.mockito.Mockito;
import software.amazon.awssdk.checksums.SdkChecksum;
import software.amazon.awssdk.checksums.internal.Crc32Checksum;
import software.amazon.awssdk.checksums.internal.Crc64NvmeChecksum;
import software.amazon.awssdk.checksums.internal.DigestAlgorithmChecksum;
import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;

public class ChecksumUtilTest {

Expand Down Expand Up @@ -87,4 +97,32 @@ public void readAll_throwNonIoException_shouldNotWrap() throws IOException {
Mockito.when(mock.read(Mockito.any(byte[].class))).thenThrow(npe);
assertThatThrownBy(() -> readAll(mock)).isEqualTo(npe);
}

@ParameterizedTest(name = "{0}")
@MethodSource("payloadSigningTestCases")
void isPayloadSigning_returnsExpectedValue(String description, Boolean propertyValue,
String protocol, boolean expected) {
SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
AwsCredentialsIdentity.create("access", "secret"),
httpRequest -> httpRequest.uri(URI.create(protocol + "://demo.us-east-1.amazonaws.com")),
signRequest -> {
if (propertyValue != null) {
signRequest.putProperty(PAYLOAD_SIGNING_ENABLED, propertyValue);
}
}
);

assertEquals(expected, isPayloadSigning(request));
}

private static Stream<Arguments> payloadSigningTestCases() {
return Stream.of(
Arguments.of("Explicit true overrides HTTPS", true, "https", true),
Arguments.of("Explicit false with HTTPS", false, "https", false),
Arguments.of("HTTPS with no property skips signing", null, "https", false),
Arguments.of("HTTP with no property signs payload", null, "http", true)
);
}


}
94 changes: 94 additions & 0 deletions ...rc/main/java/software/amazon/awssdk/benchmark/signer/DynamoDbPayloadSigningBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package software.amazon.awssdk.benchmark.signer;

import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import org.openjdk.jmh.annotations.Benchmark;
import org.openjdk.jmh.annotations.BenchmarkMode;
import org.openjdk.jmh.annotations.Fork;
import org.openjdk.jmh.annotations.Level;
import org.openjdk.jmh.annotations.Measurement;
import org.openjdk.jmh.annotations.Mode;
import org.openjdk.jmh.annotations.OutputTimeUnit;
import org.openjdk.jmh.annotations.Param;
import org.openjdk.jmh.annotations.Scope;
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.TearDown;
import org.openjdk.jmh.annotations.Warmup;
import org.openjdk.jmh.infra.Blackhole;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.benchmark.utils.MockHttpClient;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
import software.amazon.awssdk.services.dynamodb.model.PutItemRequest;
import software.amazon.awssdk.services.dynamodb.model.PutItemResponse;

@State(Scope.Thread)
@BenchmarkMode(Mode.SampleTime)
@OutputTimeUnit(TimeUnit.MICROSECONDS)
@Warmup(iterations = 5)
@Measurement(iterations = 5)
@Fork(2)
public class DynamoDbPayloadSigningBenchmark {

@Param({"10240", "409600"})
private int payloadSize;

private DynamoDbClient client;
private PutItemRequest putRequest;

@Setup(Level.Trial)
public void setup() {
client = DynamoDbClient.builder()
.region(Region.US_EAST_1)
.endpointOverride(URI.create("https://dynamodb.us-east-1.amazonaws.com"))
.credentialsProvider(StaticCredentialsProvider.create(
AwsBasicCredentials.create("AKIATEST", "testSecretKey")))
.httpClient(new MockHttpClient("{}", "{}"))
.build();

byte[] data = new byte[payloadSize];
new Random(42).nextBytes(data);

Map<String, AttributeValue> item = new HashMap<>();
item.put("id", AttributeValue.builder().s("test-id").build());
item.put("data", AttributeValue.builder().b(SdkBytes.fromByteArray(data)).build());

putRequest = PutItemRequest.builder()
.tableName("test-table")
.item(item)
.build();
}

@TearDown(Level.Trial)
public void tearDown() {
client.close();
}

@Benchmark
public void putItem(Blackhole blackhole) {
PutItemResponse response = client.putItem(putRequest);
blackhole.consume(response);
}
}
Loading