oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Sanso (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
Date Mon, 23 Apr 2012 10:15:35 GMT

    [ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259494#comment-13259494
] 

Antonio Sanso commented on AMBER-15:
------------------------------------

Hi Sanada,

I think I slowly start to understand where is the issue

>The problem is some validator is always validate a request, even though request does not
contain token. is'n it? 

I think the problem is more subtle than this. 

AFAIU there are issue to use Query, Body validator at the same time.

It would be nice to have the original patch though but seems to be lost in github....
                
> [oauth2-resourceserver] resource access validation always fails if there is more than
one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBER-15
>                 URL: https://issues.apache.org/jira/browse/AMBER-15
>             Project: Amber
>          Issue Type: Bug
>          Components: Server
>            Reporter: Ben Noordhuis
>            Assignee: Antonio Sanso
>         Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate().
Two of the validators will throw and the second exception is re-thrown unconditionally outside
the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one
edge case is that a request with a 2.0 query token and 1.0 authorization header will slip
through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator
always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all
the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message