Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2F76E9246 for ; Wed, 2 May 2012 14:47:15 +0000 (UTC) Received: (qmail 72369 invoked by uid 500); 2 May 2012 14:47:15 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 72347 invoked by uid 500); 2 May 2012 14:47:15 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 72336 invoked by uid 99); 2 May 2012 14:47:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2012 14:47:15 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2012 14:47:12 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 20B0042B4E5 for ; Wed, 2 May 2012 14:46:51 +0000 (UTC) Date: Wed, 2 May 2012 14:46:51 +0000 (UTC) From: "Sergey Beryozkin (JIRA)" To: issues@cxf.apache.org Message-ID: <1994748037.17243.1335970011155.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <677054138.17052.1335965215225.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Resolved] (CXF-4283) OAuth 2-leg getAccessToken Error MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-4283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergey Beryozkin resolved CXF-4283. ----------------------------------- Resolution: Fixed Fix Version/s: 2.5.4 2.6.1 Assignee: Sergey Beryozkin Thanks for finding the cause of the problem. I fixed it at the AccessTokenService level (pre-authorized tokens are checked for missing or empty verifiers), I think it would be a bit safer given that in principle we can expect non CXF clients consuming CXF-based OAuth1.0 endpoints too > OAuth 2-leg getAccessToken Error > --------------------------------- > > Key: CXF-4283 > URL: https://issues.apache.org/jira/browse/CXF-4283 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 2.6 > Reporter: Jordi Torrente > Assignee: Sergey Beryozkin > Labels: oauth > Fix For: 2.6.1, 2.5.4 > > > After the preauthorized request token has been obtained, if we request the access token using org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() providing a null value for verifier, the following error occurs: > org.apache.cxf.rs.security.oauth.provider.OAuthServiceException: Status : 401 > Headers : > WWW-Authenticate : OAuth realm="null", oauth_problem="verifier_invalid" > Date : Wed, 02 May 2012 13:07:58 GMT > Content-Length : 16 > Content-Type : application/x-www-form-urlencoded > Server : Apache-Coyote/1.1 > at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getToken(OAuthClientUtils.java:191) > at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:112) > > > As you can see, the request OAuth header sent includes an empty "oauth_verifier" parameter: > Authorization=[OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="9ab45d4a483b10719b72c73fff513342aa814a9", oauth_token="afb0c0d63d948872aa4cfa07b75f6788e4a2a98", oauth_verifier="", oauth_timestamp="1335964079", oauth_nonce="1335964079434845000", oauth_version="1.0", oauth_signature="4drUvMJ4pJm25QJkKIb6bSwKnio%3D"] > So, when processing the message at server side (inside AccessTokenHandler class) a non-null verifier parameter is obtained and its validation always fails: > String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER); > if (oauthVerifier == null) { > if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) { > LOG.fine("Preauthorized request token"); > } else { > throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID); > } > } else if (!oauthVerifier.equals(requestToken.getVerifier())) { > throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID); > } > I suppose changing org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() from: > Map parameters = new HashMap(); > parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey()); > parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken()); > parameters.put(OAuth.OAUTH_VERIFIER, verifier); > parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1"); > to > Map parameters = new HashMap(); > parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey()); > parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken()); > if (null!=verifier) parameters.put(OAuth.OAUTH_VERIFIER, verifier); > parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1"); > would solve the problem because a null "oauth_verifier" parameter wouldn't be sent -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira