cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-5569) OAuth AbstractAuthFilter and query parameters used for signing
Date Wed, 19 Feb 2014 17:40:19 GMT

    [ https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13905732#comment-13905732
] 

Sergey Beryozkin edited comment on CXF-5569 at 2/19/14 5:38 PM:
----------------------------------------------------------------

Using ALLOWED_OAUTH_PARAMETERS to filter out the unrecognized parameters can only affect the
signature calculation if it is a form request and if some filters in front of CXF (perhaps
Spring Security, etc) have moved the form parameters into the request map, I can't imagine
the other scenario for now.

The spec is OK with including the form parameters into the signature calculation, though I'd
say the HAWK scheme makes it neater, where the body hash is optionally included to avoid any
ambiguities. 

I've updated the code to allow for the unrecognized parameters only if it is a form payload
and the check is lax (default is true); the spec specifically talks about the form payloads
in this regard.

Can you please experiment with 2.7.11-SNAPSHOT ? 


was (Author: sergey_beryozkin):
Using ALLOWED_OAUTH_PARAMETERS to filter out the unrecognized parameters can only affect the
signature calculation if it is a form request and if some filters in front of CXF (perhaps
Spring Security, etc) have moved the form parameters inti the request map, I can't imagine
the other scenario for now.

The spec is OK with including the form parameters into the signature calculation, though I'd
say the HAWK scheme makes it neater, where the body hash is optionally included to avoid any
ambiguities. 

I've updated the code to allow for the unrecognized parameters only if it is a form payload
and the check is lax (default is true); the spec specifically talks about the form payloads
in this regard.

Can you please experiment with 2.7.11-SNAPSHOT ? 

> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
>                 Key: CXF-5569
>                 URL: https://issues.apache.org/jira/browse/CXF-5569
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.10
>            Reporter: Jason Klapste
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>             Fix For: 3.0.0-milestone2, 2.7.11
>
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are only those
included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters should be considered
for signature generation.
> To support both backwards compatibility, can I suggest exposing the ALLOWED_OAUTH_PARAMETERS
to subclasses (either directly or via getter/setters) along with a flag that can be set to
automatically include any and all parameters?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message