Add ability to disable servlet request signature verification (#163)

ask-sdk-servlet-support/src/com/amazon/ask/servlet/ServletConstants.java

@@ -52,6 +52,16 @@ public final class ServletConstants {
     public static final String SIGNATURE_CERTIFICATE_CHAIN_URL_REQUEST_HEADER =
             "SignatureCertChainUrl";
 
+    /**
+     * The name of the system property that can be used to disable request signature verification.
+     * This feature verifies the certificate authenticity using the configured TrustStore and the
+     * signature of the skill request, and will throw a {@link SecurityException} if the signature
+     * does not pass verification. This feature should only be disabled in testing scenarios and
+     * never in a production environment.
+     */
+    public static final String DISABLE_REQUEST_SIGNATURE_CHECK_SYSTEM_PROPERTY =
+            "com.amazon.ask.servlet.disableRequestSignatureCheck";
+
     /**
      * The name of the system property that can be used to configure the timestamp tolerance (in
      * millis) of the {@link SkillServlet}. Requests with timestamps outside of this inclusive tolerance range,

ask-sdk-servlet-support/src/com/amazon/ask/servlet/SkillServlet.java

@@ -66,7 +66,9 @@ public class SkillServlet extends HttpServlet {
 
     public SkillServlet(Skill skill) {
         List<SkillServletVerifier> defaultVerifiers = new ArrayList<>();
-        defaultVerifiers.add(new SkillRequestSignatureVerifier());
+        if (!Boolean.parseBoolean(System.getProperty(ServletConstants.DISABLE_REQUEST_SIGNATURE_CHECK_SYSTEM_PROPERTY))) {
+            defaultVerifiers.add(new SkillRequestSignatureVerifier());
+        }
         Long timestampToleranceProperty = ServletUtils.getSystemPropertyAsLong(TIMESTAMP_TOLERANCE_SYSTEM_PROPERTY);
         defaultVerifiers.add(new SkillRequestTimestampVerifier(timestampToleranceProperty != null
                 ? timestampToleranceProperty : DEFAULT_TOLERANCE_MILLIS));