oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond Feng <enjoyj...@gmail.com>
Subject Re: svn commit: r1332515 - /incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Date Wed, 02 May 2012 15:23:13 GMT
Hi,

It's probably in the same area but not the same. My fix solves the issue that the validator/extractor
accidentally destructs the HTTP POST/PUT payload when the Content-Type is application/x-www-form-urlencoded
as the HttpServletRequest's parameter related methods try to decode the parameters from the
body.

For AMBER-15, there are two things to consider:

1) We need to make sure the list of parameter style validators/extractors don't interfere
with each other
2) We also want to make sure that only one access token is used.

The current seems to be fine even though we try to construct the exception instances. I tested
Query/Header styles but not the body one.

Do we have a test case showing the problem?

Thanks,
Raymond

On May 2, 2012, at 8:12 AM, Antonio Sanso wrote:

> Good stuff Raymond.
> 
> Does this fix/is related to AMBER-15?
> 
> Thanks
> 
> Antonio
> 
> On May 1, 2012, at 5:34 AM, <rfeng@apache.org> <rfeng@apache.org> wrote:
> 
>> Author: rfeng
>> Date: Tue May  1 03:34:41 2012
>> New Revision: 1332515
>> 
>> URL: http://svn.apache.org/viewvc?rev=1332515&view=rev
>> Log:
>> Fix the code to not mess up with HTTP POST body
>> 
>> Modified:
>>   incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>> 
>> Modified: incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>> URL: http://svn.apache.org/viewvc/incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java?rev=1332515&r1=1332514&r2=1332515&view=diff
>> ==============================================================================
>> --- incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
(original)
>> +++ incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Tue May  1 03:34:41 2012
>> @@ -21,6 +21,9 @@
>> 
>> package org.apache.amber.oauth2.rs.extractor;
>> 
>> +import java.io.UnsupportedEncodingException;
>> +import java.net.URLDecoder;
>> +
>> import javax.servlet.http.HttpServletRequest;
>> 
>> import org.apache.amber.oauth2.common.OAuth;
>> @@ -34,16 +37,48 @@ public class BearerQueryTokenExtractor i
>> 
>>    @Override
>>    public String getAccessToken(HttpServletRequest request) {
>> -        String token = request.getParameter(OAuth.OAUTH_BEARER_TOKEN);
>> +        String token = getQueryParameter(request, OAuth.OAUTH_BEARER_TOKEN);
>>        if (token == null) {
>> -            token = request.getParameter(OAuth.OAUTH_TOKEN);
>> +            token = getQueryParameter(request, OAuth.OAUTH_TOKEN);
>>        }
>>        return token;
>>    }
>> 
>>    @Override
>>    public String getAccessToken(HttpServletRequest request, String tokenName) {
>> -        return request.getParameter(tokenName);
>> +        return getQueryParameter(request, tokenName);
>> +    }
>> +
>> +    /**
>> +     * A replacement for HttpServletRequest.getParameter() as it will mess up with
HTTP POST body
>> +     * @param request
>> +     * @param name
>> +     * @return
>> +     */
>> +    private String getQueryParameter(HttpServletRequest request, String name) {
>> +        String query = request.getQueryString();
>> +        if (query == null) {
>> +            return null;
>> +        }
>> +        String[] params = query.split("&");
>> +        for (String param : params) {
>> +            try {
>> +                param = URLDecoder.decode(param, "UTF-8");
>> +            } catch (UnsupportedEncodingException e) {
>> +                // Ignore
>> +            }
>> +            int index = param.indexOf('=');
>> +            String key = param;
>> +            String value = null;
>> +            if (index != -1) {
>> +                key = param.substring(0, index);
>> +                value = param.substring(index + 1);
>> +            }
>> +            if (key.equals(name)) {
>> +                return value;
>> +            }
>> +        }
>> +        return null;
>>    }
>> 
>> }
>> 
>> 
> 


Mime
View raw message