oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Noordhuis (JIRA)" <j...@apache.org>
Subject [jira] Created: (AMBER-15) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
Date Thu, 03 Mar 2011 20:25:37 GMT
[oauth2-resourceserver] resource access validation always fails if there is more than one parameter
style defined
-----------------------------------------------------------------------------------------------------------------

                 Key: AMBER-15
                 URL: https://issues.apache.org/jira/browse/AMBER-15
             Project: Amber
          Issue Type: Bug
          Components: Server
            Reporter: Ben Noordhuis


Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate().
Two of the validators will throw and the second exception is re-thrown unconditionally outside
the loop.

I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge
case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].

Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator
always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all
the time).

[1] https://github.com/bnoordhuis/amber/commit/b4df9c2
[2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message