oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Sanso <asa...@adobe.com>
Subject Re: svn commit: r1332515 - /incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Date Wed, 02 May 2012 15:40:28 GMT
Thanks Raymond,

I was also referring to the comment in AMBER-15 (e.g. [0]).




On May 2, 2012, at 5:23 PM, Raymond Feng wrote:

> Hi,
> 
> It's probably in the same area but not the same. My fix solves the issue that the validator/extractor
accidentally destructs the HTTP POST/PUT payload when the Content-Type is application/x-www-form-urlencoded
as the HttpServletRequest's parameter related methods try to decode the parameters from the
body.
> 
> For AMBER-15, there are two things to consider:
> 
> 1) We need to make sure the list of parameter style validators/extractors don't interfere
with each other
> 2) We also want to make sure that only one access token is used.
> 
> The current seems to be fine even though we try to construct the exception instances.
I tested Query/Header styles but not the body one.
> 
> Do we have a test case showing the problem?


not really... I was trying to understand which one is the problem is but no luck.

I'd propose to 

a. close AMBER-15 as invalid
b. open a new ticket about the fix you have solved and resolve the JIRA (since you have already
committed the fix)
c. open other JIRAs for you bullet points 1) and 2) above.

WDYT?

Regards

Antonio

[0] https://issues.apache.org/jira/browse/AMBER-15?focusedCommentId=13002717&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13002717



> 
> Thanks,
> Raymond
> 
> On May 2, 2012, at 8:12 AM, Antonio Sanso wrote:
> 
>> Good stuff Raymond.
>> 
>> Does this fix/is related to AMBER-15?
>> 
>> Thanks
>> 
>> Antonio
>> 
>> On May 1, 2012, at 5:34 AM, <rfeng@apache.org> <rfeng@apache.org> wrote:
>> 
>>> Author: rfeng
>>> Date: Tue May  1 03:34:41 2012
>>> New Revision: 1332515
>>> 
>>> URL: http://svn.apache.org/viewvc?rev=1332515&view=rev
>>> Log:
>>> Fix the code to not mess up with HTTP POST body
>>> 
>>> Modified:
>>>  incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>>> 
>>> Modified: incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>>> URL: http://svn.apache.org/viewvc/incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java?rev=1332515&r1=1332514&r2=1332515&view=diff
>>> ==============================================================================
>>> --- incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
(original)
>>> +++ incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Tue May  1 03:34:41 2012
>>> @@ -21,6 +21,9 @@
>>> 
>>> package org.apache.amber.oauth2.rs.extractor;
>>> 
>>> +import java.io.UnsupportedEncodingException;
>>> +import java.net.URLDecoder;
>>> +
>>> import javax.servlet.http.HttpServletRequest;
>>> 
>>> import org.apache.amber.oauth2.common.OAuth;
>>> @@ -34,16 +37,48 @@ public class BearerQueryTokenExtractor i
>>> 
>>>   @Override
>>>   public String getAccessToken(HttpServletRequest request) {
>>> -        String token = request.getParameter(OAuth.OAUTH_BEARER_TOKEN);
>>> +        String token = getQueryParameter(request, OAuth.OAUTH_BEARER_TOKEN);
>>>       if (token == null) {
>>> -            token = request.getParameter(OAuth.OAUTH_TOKEN);
>>> +            token = getQueryParameter(request, OAuth.OAUTH_TOKEN);
>>>       }
>>>       return token;
>>>   }
>>> 
>>>   @Override
>>>   public String getAccessToken(HttpServletRequest request, String tokenName)
{
>>> -        return request.getParameter(tokenName);
>>> +        return getQueryParameter(request, tokenName);
>>> +    }
>>> +
>>> +    /**
>>> +     * A replacement for HttpServletRequest.getParameter() as it will mess up
with HTTP POST body
>>> +     * @param request
>>> +     * @param name
>>> +     * @return
>>> +     */
>>> +    private String getQueryParameter(HttpServletRequest request, String name)
{
>>> +        String query = request.getQueryString();
>>> +        if (query == null) {
>>> +            return null;
>>> +        }
>>> +        String[] params = query.split("&");
>>> +        for (String param : params) {
>>> +            try {
>>> +                param = URLDecoder.decode(param, "UTF-8");
>>> +            } catch (UnsupportedEncodingException e) {
>>> +                // Ignore
>>> +            }
>>> +            int index = param.indexOf('=');
>>> +            String key = param;
>>> +            String value = null;
>>> +            if (index != -1) {
>>> +                key = param.substring(0, index);
>>> +                value = param.substring(index + 1);
>>> +            }
>>> +            if (key.equals(name)) {
>>> +                return value;
>>> +            }
>>> +        }
>>> +        return null;
>>>   }
>>> 
>>> }
>>> 
>>> 
>> 
> 


Mime
View raw message