CryptoHeaderFilter
|
This object is deprecated and likely to be removed in a future release. The CryptoHeaderFilter conveys encrypted data between hosts by using insecure ECB mode ciphers. Consider using a JwtBuilderFilter with a HeaderFilter for a more secure way to pass identity or other runtime information to the protected application. |
Encrypts or decrypts headers in a request or response, using a symmetric or asymmetric key. CryptoHeaderFilter supports key rotation.
Usage
{
"name": string,
"type": "CryptoHeaderFilter",
"config": {
"messageType": configuration expression<enumeration>,
"operation": configuration expression<enumeration>,
"keySecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"algorithm": configuration expression<string>,
"charset": configuration expression<string>,
"headers": [ configuration expression<string>, ... ]
}
}Properties
"messageType": configuration expression<enumeration>, required-
The type of message whose headers to encrypt or decrypt.
Must be one of:
"REQUEST","RESPONSE". "operation": configuration expression<enumeration>, required-
Indication of whether to encrypt or decrypt.
Must be one of:
"ENCRYPT","DECRYPT". "keySecretId": configuration expression<secret-id>, required-
The secret ID of the key to encrypt or decrypt the headers. For more information, see Default Secrets Object.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider object to query for the key to encrypt or decrypt the headers. For more information, see SecretsProvider.
"algorithm": configuration expression<string>, optional-
The algorithm name, mode, and padding used for encryption and decryption.
CryptoHeaderFilter does not support EC-based encryption. Use other cipher algorithm values given in Java Security Standard Algorithm Names.
Default:
AES/ECB/PKCS5Padding "charset": configuration expression<string>, optional-
The name of the charset used to encrypt or decrypt values, as described in Class Charset.
Default:
UTF-8 "headers": array of configuration expression<string>, optional-
The names of header fields to encrypt or decrypt.
Default: Empty
Example
{
"name": "DecryptReplayPasswordFilter",
"type": "CryptoHeaderFilter",
"config": {
"messageType": "REQUEST",
"operation": "DECRYPT",
"keySecretId": "decryption.secret.id",
"secretsProvider": "KeyStoreSecretStore-1",
"algorithm": "DES/ECB/NoPadding",
"headers": [ "replaypassword" ]
}
}