Skip to content

Disable payload signing for https requests #6691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RanVaknin wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Disable payload signing for https requests #6691

RanVaknin wants to merge 5 commits into from

Conversation

@RanVaknin
Copy link
Contributor

@RanVaknin RanVaknin commented Jan 27, 2026
edited
Loading

⚠️ AFTER REVIEW - NEEDS MINOR VERSION BUMP

Addresses: JAVA-8739

Background

The SDK currently signs payloads for all requests (HTTP and HTTPS). This differs from V1, which only signed payloads for HTTP requests. For HTTPS requests, payload signing is redundant since TLS already provides integrity protection, and it causes measurable performance degradation. This change follows the same behavior of v1 where HTTPS requests' payloads were not signed.

Benchmarking Approach

Performance was measured using JMH with a stubbed DynamoDB client to isolate signing overhead. I chose two binary payload a 10kb and 400kb (DDB limit) to see if this exacerbates the performance bottleneck.

Results

Payload Size Metric Before (µs) After (µs) Improvement
10KB p50 92.160 55.168 40% faster
10KB p90 95.872 62.336 35% faster
10KB p95 108.288 68.608 37% faster
10KB p99 142.848 101.248 29% faster
400KB p50 2732.032 1249.280 54% faster
400KB p90 2818.048 1306.624 54% faster
400KB p95 2867.200 1335.296 53% faster
400KB p99 3796.992 2137.252 44% faster

Flamegraphs

Before

image

After

image

@RanVaknin RanVaknin requested a review from a team as a code owner January 27, 2026 19:59
@RanVaknin RanVaknin added the no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required label Jan 27, 2026
RanVaknin
RanVaknin commented Jan 27, 2026
View reviewed changes
...software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSignerTest.java
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Region-Set")).hasValue("aws-global");
assertThat(signedRequest.request().firstMatchingHeader("Authorization")).isPresent();
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).contains(PAYLOAD_SHA256_HEX);
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
Copy link
Contributor Author

@RanVaknin RanVaknin Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing default behavior

RanVaknin
RanVaknin commented Jan 27, 2026
View reviewed changes
...software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSignerTest.java
assertThat(signedRequest.request().firstMatchingHeader("X-Amz-Region-Set")).hasValue("aws-global");
assertThat(signedRequest.request().firstMatchingHeader("Authorization")).isPresent();
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).contains(PAYLOAD_SHA256_HEX);
assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256")).hasValue("UNSIGNED-PAYLOAD");
Copy link
Contributor Author

@RanVaknin RanVaknin Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing default behavior

@alextwoods alextwoods added the perf-improvement Label for PRs that contain performance improvement changes. label Jan 27, 2026
zoewangg
zoewangg reviewed Jan 27, 2026
View reviewed changes
...ws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/util/ChecksumUtil.java
if (!isPayloadSigningEnabled) {
if (payloadSigningEnabled != null) {
// presigning requests should always have a null payload, and should always be unsigned-payload
if (!isEncrypted && hasPayload && !payloadSigningEnabled) {
Copy link
Contributor

@zoewangg zoewangg Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If payloadSigningEnabled is not null, i.e., configured by the user or set on the service model, should we always enable payload signing regardless of isEncrypted?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dagnir dagnir dagnir left review comments

@zoewangg zoewangg zoewangg left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required perf-improvement Label for PRs that contain performance improvement changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RanVaknin @dagnir @zoewangg @alextwoods