@Override
public void doFilter(
ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
// Skip oauth for local connections
if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
// Read the OAuth parameters from the request
OAuthServletRequest request = new OAuthServletRequest(httpRequest);
OAuthParameters params = new OAuthParameters();
params.readRequest(request);
String consumerKey = params.getConsumerKey();
// Set the secret(s), against which we will verify the request
OAuthSecrets secrets = new OAuthSecrets();
secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));
// Check that the timestamp has not expired
String timestampStr = params.getTimestamp();
if (timestampStr == null) {
logger.warn("Missing OAuth headers");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
return;
}
long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
long currentTime = System.currentTimeMillis();
// if the message is older than 5 min it is no good
if (Math.abs(msgTime - currentTime) > 300000) {
logger.warn(
"OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
return;
}
// Verify the signature
try {
if (!OAuthSignature.verify(request, params, secrets)) {
logger.warn("Invalid OAuth signature");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
return;
}
} catch (OAuthSignatureException e) {
logger.warn("OAuth exception", e);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
return;
}
}
filterChain.doFilter(servletRequest, servletResponse);
}