Beispiel #1
0
  @Override
  public void doFilter(
      ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
      throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
    HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

    // Skip oauth for local connections
    if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
      // Read the OAuth parameters from the request
      OAuthServletRequest request = new OAuthServletRequest(httpRequest);
      OAuthParameters params = new OAuthParameters();
      params.readRequest(request);

      String consumerKey = params.getConsumerKey();

      // Set the secret(s), against which we will verify the request
      OAuthSecrets secrets = new OAuthSecrets();
      secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));

      // Check that the timestamp has not expired
      String timestampStr = params.getTimestamp();
      if (timestampStr == null) {
        logger.warn("Missing OAuth headers");
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
        return;
      }

      long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
      long currentTime = System.currentTimeMillis();

      // if the message is older than 5 min it is no good
      if (Math.abs(msgTime - currentTime) > 300000) {
        logger.warn(
            "OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
        return;
      }

      // Verify the signature
      try {
        if (!OAuthSignature.verify(request, params, secrets)) {
          logger.warn("Invalid OAuth signature");

          httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
          return;
        }
      } catch (OAuthSignatureException e) {
        logger.warn("OAuth exception", e);

        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
        return;
      }
    }

    filterChain.doFilter(servletRequest, servletResponse);
  }
  protected ArrayList<NameValuePair> buildParameters(OAuthParameters params) {
    ArrayList<NameValuePair> tuples = new ArrayList<NameValuePair>();
    tuples.add(new BasicNameValuePair(OAuthConstants.MODE, "client_auth"));
    params.put(OAuthConstants.MODE, "client_auth");
    tuples.add(new BasicNameValuePair(OAuthConstants.USERNAME, username));
    params.put(OAuthConstants.USERNAME, username);
    tuples.add(new BasicNameValuePair(OAuthConstants.PASSWORD, password));
    params.put(OAuthConstants.PASSWORD, password);

    return tuples;
  }
  protected ArrayList<NameValuePair> buildParameters(OAuthParameters params) {
    ArrayList<NameValuePair> tuples = new ArrayList<NameValuePair>();
    tuples.add(new BasicNameValuePair(OAuthConstants.MODE, "twitter_auth"));
    params.put(OAuthConstants.MODE, "twitter_auth");
    tuples.add(new BasicNameValuePair(OAuthConstants.X_TOKEN, twitterToken));
    params.put(OAuthConstants.X_TOKEN, twitterToken);
    tuples.add(new BasicNameValuePair(OAuthConstants.X_SECRET, twitterSecret));
    params.put(OAuthConstants.X_SECRET, twitterSecret);

    return tuples;
  }
  private String getSignatureBaseString(HttpPost req, OAuthParameters params) {
    final String method = req.getMethod();
    final String url = Uri.encode(req.getURI().toString());

    final String sortedParams = Uri.encode(params.getSortedEncodedParamsAsString());
    return method + '&' + url + '&' + sortedParams;
  }
  public void signForAccessToken(HttpPost req) throws FiveHundredException {

    OAuthParameters params = new OAuthParameters(this.consumerKey);
    final ArrayList<NameValuePair> tuples = buildParameters(params);

    params.put(OAuthConstants.TOKEN, this.tokenKey);

    // generate the base string for signature.
    String str = getSignatureBaseString(req, params);
    str = getSignature(str, consumerSecret, this.tokenSecret);
    params.put(OAuthConstants.SIGNATURE, str);
    // get the authorization header
    str = params.getAuthorizationHeaderValue();
    req.addHeader(OAuthConstants.HEADER, str);

    try {
      req.setEntity(new UrlEncodedFormEntity(tuples));
    } catch (UnsupportedEncodingException e) {
      throw new FiveHundredException(e);
    }
  }
  /**
   * Test a Twitter status update.
   *
   * <p>Specifically, this test includes some characters (spaces) in one of the parameters which
   * were incorrectly encoded (as '+' instead of "%20") with the original encoding routine.
   */
  public void testTwitterSig() {
    final String TWITTERTEST_SIGNATURE = "yfrn/p/4Hnp+XcwUBVfW0cSgc+o=";
    final String TWITTERTEST_SIGNATURE_ENC = "yfrn%2Fp%2F4Hnp%2BXcwUBVfW0cSgc%2Bo%3D";

    DummyRequest request =
        new DummyRequest()
            .requestMethod("POST")
            .requestURL("http://twitter.com/statuses/update.json")
            .parameterValue("status", "Hello Twitter World");

    OAuthParameters params =
        new OAuthParameters()
            .consumerKey(CONSUMER_KEY)
            .token(ACCESS_TOKEN)
            .signatureMethod(SIGNATURE_METHOD)
            .timestamp(TIMESTAMP)
            .nonce(NONCE)
            .version(VERSION);

    OAuthSecrets secrets =
        new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    assertEquals(signature, TWITTERTEST_SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request;
      // ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), TIMESTAMP);
    assertEquals(params.getNonce(), NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), TWITTERTEST_SIGNATURE);

    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }
  public void testRSASHA1() {
    DummyRequest request =
        new DummyRequest()
            .requestMethod("GET")
            .requestURL("http://photos.example.net/photos")
            .parameterValue("file", "vacaction.jpg")
            .parameterValue("size", "original");

    OAuthParameters params =
        new OAuthParameters()
            .realm(REALM)
            .consumerKey(CONSUMER_KEY)
            .signatureMethod(RSA_SIGNATURE_METHOD)
            .timestamp(RSA_TIMESTAMP)
            .nonce(RSA_NONCE)
            .version(VERSION);

    OAuthSecrets secrets = new OAuthSecrets().consumerSecret(RSA_PRIVKEY);

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
    assertEquals(signature, RSA_SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request; ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getRealm(), REALM);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    //        assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), RSA_SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), RSA_TIMESTAMP);
    assertEquals(params.getNonce(), RSA_NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), RSA_SIGNATURE);

    // perform the same encoding as done by OAuthParameters.writeRequest
    // to see if the encoded signature will match
    assertEquals(
        UriComponent.encode(params.getSignature(), UriComponent.Type.UNRESERVED),
        RSA_SIGNATURE_ENCODED);

    secrets = new OAuthSecrets().consumerSecret(RSA_CERTIFICATE);
    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }
  /** Perform the test. */
  public void testHMACSHA1() {

    DummyRequest request =
        new DummyRequest()
            .requestMethod("GET")
            .requestURL("http://photos.example.net/photos")
            .parameterValue("file", "vacation.jpg")
            .parameterValue("size", "original");

    OAuthParameters params =
        new OAuthParameters()
            .realm(REALM)
            .consumerKey(CONSUMER_KEY)
            .token(ACCESS_TOKEN)
            .signatureMethod(SIGNATURE_METHOD)
            .timestamp(TIMESTAMP)
            .nonce(NONCE)
            .version(VERSION);

    OAuthSecrets secrets =
        new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    assertEquals(signature, SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request; ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getRealm(), REALM);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), TIMESTAMP);
    assertEquals(params.getNonce(), NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), SIGNATURE);

    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }