diff --git a/ask-sdk-servlet-support/src/com/amazon/ask/servlet/ServletConstants.java b/ask-sdk-servlet-support/src/com/amazon/ask/servlet/ServletConstants.java index d25c9971..06927edd 100644 --- a/ask-sdk-servlet-support/src/com/amazon/ask/servlet/ServletConstants.java +++ b/ask-sdk-servlet-support/src/com/amazon/ask/servlet/ServletConstants.java @@ -52,6 +52,16 @@ public final class ServletConstants { public static final String SIGNATURE_CERTIFICATE_CHAIN_URL_REQUEST_HEADER = "SignatureCertChainUrl"; + /** + * The name of the system property that can be used to disable request signature verification. + * This feature verifies the certificate authenticity using the configured TrustStore and the + * signature of the skill request, and will throw a {@link SecurityException} if the signature + * does not pass verification. This feature should only be disabled in testing scenarios and + * never in a production environment. + */ + public static final String DISABLE_REQUEST_SIGNATURE_CHECK_SYSTEM_PROPERTY = + "com.amazon.ask.servlet.disableRequestSignatureCheck"; + /** * The name of the system property that can be used to configure the timestamp tolerance (in * millis) of the {@link SkillServlet}. Requests with timestamps outside of this inclusive tolerance range, diff --git a/ask-sdk-servlet-support/src/com/amazon/ask/servlet/SkillServlet.java b/ask-sdk-servlet-support/src/com/amazon/ask/servlet/SkillServlet.java index 26a465ff..b4d8fed1 100644 --- a/ask-sdk-servlet-support/src/com/amazon/ask/servlet/SkillServlet.java +++ b/ask-sdk-servlet-support/src/com/amazon/ask/servlet/SkillServlet.java @@ -66,7 +66,9 @@ public class SkillServlet extends HttpServlet { public SkillServlet(Skill skill) { List defaultVerifiers = new ArrayList<>(); - defaultVerifiers.add(new SkillRequestSignatureVerifier()); + if (!Boolean.parseBoolean(System.getProperty(ServletConstants.DISABLE_REQUEST_SIGNATURE_CHECK_SYSTEM_PROPERTY))) { + defaultVerifiers.add(new SkillRequestSignatureVerifier()); + } Long timestampToleranceProperty = ServletUtils.getSystemPropertyAsLong(TIMESTAMP_TOLERANCE_SYSTEM_PROPERTY); defaultVerifiers.add(new SkillRequestTimestampVerifier(timestampToleranceProperty != null ? timestampToleranceProperty : DEFAULT_TOLERANCE_MILLIS));