cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-5569) OAuth AbstractAuthFilter and query parameters used for signing
Date Tue, 01 Apr 2014 11:00:16 GMT


Sergey Beryozkin commented on CXF-5569:

Jason, I've decided to keep the flag for now restricting it to the well known parameters.
I guess you were right in mentioning CXF OAuth1 implementation was kind of caught in between
conflicting requirements. 
However I'd like to avoid possibly working clients starting breaking by auto-enabling the
support for all the parameters: there must've been a reason why I ended up adding this request
wrapper blocking unrecognized parameters - that was either due to the client I was experimenting
with did not calculate the signature correctly itself or because there were  some unexpected
parameters 'leaking', I don't recall right now. I know a number of users are working with
CXF OAuth1, it may work for them because  the client code does not use the query parameters
or again, may be because the software they use does not take the query parameters into the
signature calculation.
So, IMHO, it is safer to introduce a flag, and let users enable it if needed - it is an extra
piece of work but hopefully not a major one :-)

> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>                 Key: CXF-5569
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.10
>            Reporter: Jason Klapste
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>             Fix For: 3.0.0-milestone2, 2.7.11
> In the AbstractAuthFilter the query (or body) parameters used for signing are only those
> But if I'm reading the RFC correctly, it looks are though ALL parameters should be considered
for signature generation.
> To support both backwards compatibility, can I suggest exposing the ALLOWED_OAUTH_PARAMETERS
to subclasses (either directly or via getter/setters) along with a flag that can be set to
automatically include any and all parameters?

This message was sent by Atlassian JIRA

View raw message