Recent searches


No recent searches

Verifying webhook authenticity using Spring Boot



Posted Oct 30, 2022

I am migrating some code to Java Spring Boot and using Zendesk WebHooks. The Webhooks request have two headers.

X-Zendesk-Webhook-Signature - the main signature
X-Zendesk-Webhook-Signature-Timestamp - the timestamp used to verify the signature

Also there is a secret key. Until now I was able to test webhook and It successfully reached my @RestController but now I want to validate it that its coming from Zendesk. Ref - https://developer.zendesk.com/documentation/event-connectors/webhooks/verifying/


0

2

2 comments

image avatar

Eric Nelson

Zendesk Developer Advocacy

Hey there,
 
Do you mind clarifying what your question is? Unfortunately we don't have a tutorial on how to handle webhook verification in java. 
 
Sorry for the inconvenience 

0


Jehudowuf I'm verifying the request via this method and it works in Spring Boot :) arguments for the function come from webhook request: headers you mention and the full request body. Hope it helps :) Compared signatures in the final if statement should be the same.

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import org.apache.tomcat.util.codec.binary.Base64;

......

private final String zendeskSecretKey = "XXXXXXXXXXX_SECRET_FROM_WEBHOOK_CONFIG";

public void validateZendeskWebhookRequest(String zendeskSignatureTimeStamp, String zendeskSignature, String requestBody) throws Exception {
Mac sha256 = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(zendeskSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
sha256.init(secretKey);
String signature =
Base64.encodeBase64String(
sha256.doFinal((zendeskSignatureTimeStamp + requestBody).getBytes(StandardCharsets.UTF_8)));

LOGGER.debug("Request Validation Result: {} vs {}", signature, zendeskSignature);

if (!zendeskSignature.equals(signature)) {
throw new ZendeskRequestNotValidException();
}
}

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post