oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Sanso <asa...@adobe.com>
Subject Re: svn commit: r1332515 - /incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Date Wed, 09 May 2012 15:02:43 GMT

On May 9, 2012, at 4:50 PM, Raymond Feng wrote:

> I don't see any issues as I use both query and header style.

at the same time?

Antonio


> 
> Raymond Feng
> Sent from my iPhone
> 
> On May 9, 2012, at 7:23 AM, Antonio Sanso <asanso@adobe.com> wrote:
> 
>> Hi Raymond
>> 
>> On May 2, 2012, at 5:23 PM, Raymond Feng wrote:
>> 
>>> Hi,
>>> 
>>> It's probably in the same area but not the same. My fix solves the issue that
the validator/extractor accidentally destructs the HTTP POST/PUT payload when the Content-Type
is application/x-www-form-urlencoded as the HttpServletRequest's parameter related methods
try to decode the parameters from the body.
>>> 
>>> For AMBER-15, there are two things to consider:
>>> 
>>> 1) We need to make sure the list of parameter style validators/extractors don't
interfere with each other
>>> 2) We also want to make sure that only one access token is used.
>> 
>> so what you would do if more than style is used at the same time? At the moment an
 exception is thrown if I do not get wrong.
>> 
>> Regards
>> 
>> Antonio
>> 
>> 
>>> 
>>> The current seems to be fine even though we try to construct the exception instances.
I tested Query/Header styles but not the body one.
>>> 
>>> Do we have a test case showing the problem?
>>> 
>>> Thanks,
>>> Raymond
>>> 
>>> On May 2, 2012, at 8:12 AM, Antonio Sanso wrote:
>>> 
>>>> Good stuff Raymond.
>>>> 
>>>> Does this fix/is related to AMBER-15?
>>>> 
>>>> Thanks
>>>> 
>>>> Antonio
>>>> 
>>>> On May 1, 2012, at 5:34 AM, <rfeng@apache.org> <rfeng@apache.org>
wrote:
>>>> 
>>>>> Author: rfeng
>>>>> Date: Tue May  1 03:34:41 2012
>>>>> New Revision: 1332515
>>>>> 
>>>>> URL: http://svn.apache.org/viewvc?rev=1332515&view=rev
>>>>> Log:
>>>>> Fix the code to not mess up with HTTP POST body
>>>>> 
>>>>> Modified:
>>>>> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>>>>> 
>>>>> Modified: incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
>>>>> URL: http://svn.apache.org/viewvc/incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java?rev=1332515&r1=1332514&r2=1332515&view=diff
>>>>> ==============================================================================
>>>>> --- incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
(original)
>>>>> +++ incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java
Tue May  1 03:34:41 2012
>>>>> @@ -21,6 +21,9 @@
>>>>> 
>>>>> package org.apache.amber.oauth2.rs.extractor;
>>>>> 
>>>>> +import java.io.UnsupportedEncodingException;
>>>>> +import java.net.URLDecoder;
>>>>> +
>>>>> import javax.servlet.http.HttpServletRequest;
>>>>> 
>>>>> import org.apache.amber.oauth2.common.OAuth;
>>>>> @@ -34,16 +37,48 @@ public class BearerQueryTokenExtractor i
>>>>> 
>>>>> @Override
>>>>> public String getAccessToken(HttpServletRequest request) {
>>>>> -        String token = request.getParameter(OAuth.OAUTH_BEARER_TOKEN);
>>>>> +        String token = getQueryParameter(request, OAuth.OAUTH_BEARER_TOKEN);
>>>>>     if (token == null) {
>>>>> -            token = request.getParameter(OAuth.OAUTH_TOKEN);
>>>>> +            token = getQueryParameter(request, OAuth.OAUTH_TOKEN);
>>>>>     }
>>>>>     return token;
>>>>> }
>>>>> 
>>>>> @Override
>>>>> public String getAccessToken(HttpServletRequest request, String tokenName)
{
>>>>> -        return request.getParameter(tokenName);
>>>>> +        return getQueryParameter(request, tokenName);
>>>>> +    }
>>>>> +
>>>>> +    /**
>>>>> +     * A replacement for HttpServletRequest.getParameter() as it will
mess up with HTTP POST body
>>>>> +     * @param request
>>>>> +     * @param name
>>>>> +     * @return
>>>>> +     */
>>>>> +    private String getQueryParameter(HttpServletRequest request, String
name) {
>>>>> +        String query = request.getQueryString();
>>>>> +        if (query == null) {
>>>>> +            return null;
>>>>> +        }
>>>>> +        String[] params = query.split("&");
>>>>> +        for (String param : params) {
>>>>> +            try {
>>>>> +                param = URLDecoder.decode(param, "UTF-8");
>>>>> +            } catch (UnsupportedEncodingException e) {
>>>>> +                // Ignore
>>>>> +            }
>>>>> +            int index = param.indexOf('=');
>>>>> +            String key = param;
>>>>> +            String value = null;
>>>>> +            if (index != -1) {
>>>>> +                key = param.substring(0, index);
>>>>> +                value = param.substring(index + 1);
>>>>> +            }
>>>>> +            if (key.equals(name)) {
>>>>> +                return value;
>>>>> +            }
>>>>> +        }
>>>>> +        return null;
>>>>> }
>>>>> 
>>>>> }
>>>>> 
>>>>> 
>>>> 
>>> 
>> 


Mime
View raw message