Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EA8AC1008A for ; Fri, 31 Jan 2014 18:38:03 +0000 (UTC) Received: (qmail 60462 invoked by uid 500); 31 Jan 2014 18:38:02 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 60403 invoked by uid 500); 31 Jan 2014 18:38:01 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 60395 invoked by uid 99); 31 Jan 2014 18:38:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 18:38:01 +0000 X-ASF-Spam-Status: No, hits=0.6 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS,URI_HEX X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sberyozkin@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-wg0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 18:37:57 +0000 Received: by mail-wg0-f43.google.com with SMTP id y10so9660892wgg.22 for ; Fri, 31 Jan 2014 10:37:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=l9qWdV3MyzNwezmrP9apN1WYRyN81MUQc60scqdyqkU=; b=wwpTGkYAYlxPkse1lJ/EK1W1KN42or6Y64HaymVcZssIVrqj7352lLNTttdO7nnT7F rDebHkkNH+o31udDoediqwUOJC2uefdBFQ303VEG48nGaYkXCs4Lnuo9HDP4KR+EezKg 5wBxEKAM2q1aRYfHDaqbAUKWvvtxWw81knl2MU+hZfc8ahxsezCKd4+Q5lqHE4CL1cHD Huit0hlT0XDLpPC7zw1Lqm+NiDNcQNUzusqgJ9730K2iTnJqkKZ/tPPy3MpiN78uZWaU BxJeRTjVgnSQjY5ehV+4FUCYmP/l/jl7cZ0k5rb3znSKev2cZS9g3GHvglFTmYCvT/en b8KA== X-Received: by 10.194.87.104 with SMTP id w8mr609126wjz.90.1391193456183; Fri, 31 Jan 2014 10:37:36 -0800 (PST) Received: from [192.168.2.6] ([89.100.190.21]) by mx.google.com with ESMTPSA id uc9sm58829272wib.2.2014.01.31.10.37.34 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 31 Jan 2014 10:37:35 -0800 (PST) Message-ID: <52EBED5F.2070006@gmail.com> Date: Fri, 31 Jan 2014 18:37:19 +0000 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: users@cxf.apache.org Subject: Re: OAuth 1.0 And Signature With Query Params References: <1391192730430-5739357.post@n5.nabble.com> In-Reply-To: <1391192730430-5739357.post@n5.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi On 31/01/14 18:25, icoleman wrote: > I have a problem that has been plaguing me for several days now and was > hoping someone had run across it before. > > I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer > that's a standalone Java application making requests to the provider. The > OAuth 1.0 Authorization headers on the client are being generated by > OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod, > uri); > > So far so good. Everything works fine so long as there are no query > parameters on the URL. > > So if the request URL is "http://foo.com/api/83382" then all is well. > > If the request URL is "http://foo.com/api/83382?scope=all" the signature > validation on the provider fails. After tracing through > SimpleOAuthValidator.validateSignature(..) I found that the Authorization > signature on the client is using the full URL with query parameters to > generate the signature, but when SimpleOAuthValidator generates the base > string for signature validation, the query parameters are not used (only the > URI). > > I was able to get the SimpleOAuthValidator to validate the signature created > by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the > "original" URI. But to do this I had to do some voodoo to get > HttpServletRequest.getRequestURL() and append the > httpServletRequest.getQueryString() to it. > > With this hack, the signature created by OAuthClientUtils will now be > validated by SimpleOAuthValidator. Obviously, that can't possibly be > "normal", right? > Sure, this needs to be fixed - I'll look into it next week > To make matters worse, I've had no luck whatsoever in getting a generic REST > client (e.g. REST Console for Chrome) to successfully authorize a request > against the provider. It fails with a oauth_problem: signature_invalid every > single time. > Can you give me a favor and experiment further with it ? Can we expect the console affecting the signature somehow ? What about curl ? Cheers, Sergey > I'm using CXF 2.6.11 (but have used 2.7.8 with similar results). > > Any help would be sincerely appreciated! > > Thanks, > > --Ian > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/ Blog: http://sberyozkin.blogspot.com