cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: OAuth 1.0 And Signature With Query Params
Date Fri, 31 Jan 2014 18:37:19 GMT
On 31/01/14 18:25, icoleman wrote:
> I have a problem that has been plaguing me for several days now and was
> hoping someone had run across it before.
> I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer
> that's a standalone Java application making requests to the provider. The
> OAuth 1.0 Authorization headers on the client are being generated by
> OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
> uri);
> So far so good. Everything works fine so long as there are no query
> parameters on the URL.
> So if the request URL is "" then all is well.
> If the request URL is "" the signature
> validation on the provider fails. After tracing through
> SimpleOAuthValidator.validateSignature(..) I found that the Authorization
> signature on the client is using the full URL with query parameters to
> generate the signature, but when SimpleOAuthValidator generates the base
> string for signature validation, the query parameters are not used (only the
> URI).
> I was able to get the SimpleOAuthValidator to validate the signature created
> by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
> "original" URI. But to do this I had to do some voodoo to get
> HttpServletRequest.getRequestURL() and append the
> httpServletRequest.getQueryString() to it.
> With this hack, the signature created by OAuthClientUtils will now be
> validated by SimpleOAuthValidator. Obviously, that can't possibly be
> "normal", right?
Sure, this needs to be fixed - I'll look into it next week

> To make matters worse, I've had no luck whatsoever in getting a generic REST
> client (e.g. REST Console for Chrome) to successfully authorize a request
> against the provider. It fails with a oauth_problem: signature_invalid every
> single time.
Can you give me a favor and experiment further with it ? Can we expect 
the console affecting the signature somehow ? What about curl ?

Cheers, Sergey

> I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
> Any help would be sincerely appreciated!
> Thanks,
> --Ian
> --
> View this message in context:
> Sent from the cxf-user mailing list archive at

Sergey Beryozkin

Talend Community Coders


View raw message