This example demonstrates how to verify webhook, app event, and app action requests from Contentful using HMAC-SHA256 in Java with Spring Boot. The server computes a signature from the request's method, path, headers, and body, then compares it to the signature provided by Contentful.
- Java 8 or higher
- Apache Maven
- Set the
CONTENTFUL_SIGNING_SECRETenvironment variable:
export CONTENTFUL_SIGNING_SECRET="your_contentful_signing_secret_here"- Install dependencies:
mvn clean install- Run the application:
mvn spring-boot:runThe server will start on http://localhost:8080.
- DemoApplication.java: The main entry point of the Spring Boot application. Defines the endpoint for incoming requests and handles the verification process.
- RequestVerifier.java: Contains the verification logic, including signing the request and building the canonical string.
The Java implementation builds a canonical string based on:
- HTTP Method: Always "POST" in this case.
- Path: The endpoint path, e.g., /.
- Signed Headers: The headers specified in the X-Contentful-Signed-Headers header, normalized and concatenated with ;.
- Body: The raw request body.
The generated signature is an HMAC SHA256 hash of the canonical string, using the CONTENTFUL_SIGNING_SECRET as the key. The signature is then compared to the signature provided by Contentful in the X-Contentful-Signature header.