Return-Path: 
 <amber-dev-return-335-apmail-incubator-amber-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-amber-dev-archive@minotaur.apache.org
Received: (qmail 3837 invoked from network); 3 Mar 2011 20:25:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 3 Mar 2011 20:25:57 -0000
Received: (qmail 71231 invoked by uid 500); 3 Mar 2011 20:25:57 -0000
Delivered-To: apmail-incubator-amber-dev-archive@incubator.apache.org
Received: (qmail 71203 invoked by uid 500); 3 Mar 2011 20:25:57 -0000
Mailing-List: contact amber-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:amber-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:amber-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:amber-dev@incubator.apache.org>
List-Id: <amber-dev.incubator.apache.org>
Reply-To: amber-dev@incubator.apache.org
Delivered-To: mailing list amber-dev@incubator.apache.org
Received: (qmail 71195 invoked by uid 99); 3 Mar 2011 20:25:57 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2011 20:25:57 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2011 20:25:57 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id 037A74E37B
	for <amber-dev@incubator.apache.org>; Thu,  3 Mar 2011 20:25:37 +0000 (UTC)
Date: Thu, 3 Mar 2011 20:25:37 +0000 (UTC)
From: "Ben Noordhuis (JIRA)" <jira@apache.org>
To: amber-dev@incubator.apache.org
Message-ID: 
 <1073385112.11875.1299183937011.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] Created: (AMBER-15) [oauth2-resourceserver] resource access
 validation always fails if there is more than one parameter style defined
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

[oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
-----------------------------------------------------------------------------------------------------------------

                 Key: AMBER-15
                 URL: https://issues.apache.org/jira/browse/AMBER-15
             Project: Amber
          Issue Type: Bug
          Components: Server
            Reporter: Ben Noordhuis


Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.

I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].

Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).

[1] https://github.com/bnoordhuis/amber/commit/b4df9c2
[2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira