I have a problem that has been plaguing me for several days now and was
hoping someone had run across it before.
I have a provider implemented with Spring 3 CXF 2.6.11. I have a consumer
that's a standalone Java application making requests to the provider. The
OAuth 1.0 Authorization headers on the client are being generated by
OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
uri);
So far so good. Everything works fine so long as there are no query
parameters on the URL.
So if the request URL is "http://foo.com/api/83382" then all is well.
If the request URL is "http://foo.com/api/83382?scope=all" the signature
validation on the provider fails. After tracing through
SimpleOAuthValidator.validateSignature(..) I found that the Authorization
signature on the client is using the full URL with query parameters to
generate the signature, but when SimpleOAuthValidator generates the base
string for signature validation, the query parameters are not used (only the
URI).
I was able to get the SimpleOAuthValidator to validate the signature created
by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
"original" URI. But to do this I had to do some voodoo to get
HttpServletRequest.getRequestURL() and append the
httpServletRequest.getQueryString() to it.
With this hack, the signature created by OAuthClientUtils will now be
validated by SimpleOAuthValidator. Obviously, that can't possibly be
"normal", right?
To make matters worse, I've had no luck whatsoever in getting a generic REST
client (e.g. REST Console for Chrome) to successfully authorize a request
against the provider. It fails with a oauth_problem: signature_invalid every
single time.
I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
Any help would be sincerely appreciated!
Thanks,
--Ian
hoping someone had run across it before.
I have a provider implemented with Spring 3 CXF 2.6.11. I have a consumer
that's a standalone Java application making requests to the provider. The
OAuth 1.0 Authorization headers on the client are being generated by
OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
uri);
So far so good. Everything works fine so long as there are no query
parameters on the URL.
So if the request URL is "http://foo.com/api/83382" then all is well.
If the request URL is "http://foo.com/api/83382?scope=all" the signature
validation on the provider fails. After tracing through
SimpleOAuthValidator.validateSignature(..) I found that the Authorization
signature on the client is using the full URL with query parameters to
generate the signature, but when SimpleOAuthValidator generates the base
string for signature validation, the query parameters are not used (only the
URI).
I was able to get the SimpleOAuthValidator to validate the signature created
by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
"original" URI. But to do this I had to do some voodoo to get
HttpServletRequest.getRequestURL() and append the
httpServletRequest.getQueryString() to it.
With this hack, the signature created by OAuthClientUtils will now be
validated by SimpleOAuthValidator. Obviously, that can't possibly be
"normal", right?
To make matters worse, I've had no luck whatsoever in getting a generic REST
client (e.g. REST Console for Chrome) to successfully authorize a request
against the provider. It fails with a oauth_problem: signature_invalid every
single time.
I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
Any help would be sincerely appreciated!
Thanks,
--Ian