Return-Path: 
 <issues-return-28885-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 28FE510D4E
	for <apmail-cxf-issues-archive@www.apache.org>;
 Tue, 18 Feb 2014 17:48:40 +0000 (UTC)
Received: (qmail 99364 invoked by uid 500); 18 Feb 2014 17:48:25 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 99229 invoked by uid 500); 18 Feb 2014 17:48:22 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 99201 invoked by uid 99); 18 Feb 2014 17:48:22 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Feb 2014 17:48:22 +0000
Date: Tue, 18 Feb 2014 17:48:21 +0000 (UTC)
From: "Sergey Beryozkin (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.12695736.1392744321177.58352.1392745701955@arcas>
In-Reply-To: <JIRA.12695736.1392744321177@arcas>
References: <JIRA.12695736.1392744321177@arcas>
Subject: [jira] [Commented] (CXF-5569) OAuth AbstractAuthFilter and query
 parameters used for signing
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13904304#comment-13904304 ] 

Sergey Beryozkin commented on CXF-5569:
---------------------------------------

Hi, can you give me a favor and explain which parameter affects the signature calculation on the client side which is not taken into the consideration on the server side and link to the relevant text in the OAuth1 spec ?
Thanks, Sergey

> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
>                 Key: CXF-5569
>                 URL: https://issues.apache.org/jira/browse/CXF-5569
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.10
>            Reporter: Jason Klapste
>            Priority: Minor
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are only those included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters should be considered for signature generation.
> To support both backwards compatibility, can I suggest exposing the ALLOWED_OAUTH_PARAMETERS to subclasses (either directly or via getter/setters) along with a flag that can be set to automatically include any and all parameters?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)