private HttpResponse makeOAuthProblemReport(String code, String text, int rc) throws IOException {
if (vagueErrors) {
return new HttpResponseBuilder()
.setHttpStatusCode(rc)
.setResponseString("some vague error")
.create();
}
OAuthMessage msg = new OAuthMessage(null, null, null);
msg.addParameter("oauth_problem", code);
msg.addParameter("oauth_problem_advice", text);
return new HttpResponseBuilder()
.setHttpStatusCode(rc)
.addHeader("WWW-Authenticate", msg.getAuthorizationHeader("realm"))
.create();
}
/**
* Add some of the parameters needed to request access to a protected resource, if they aren't
* already in the message.
*
* @throws IOException
* @throws URISyntaxException
*/
public void addRequiredParameters(OAuthAccessor accessor)
throws OAuthException, IOException, URISyntaxException {
final Map<String, String> pMap = OAuth.newMap(parameters);
if (pMap.get(OAuth.OAUTH_TOKEN) == null && accessor.accessToken != null) {
addParameter(OAuth.OAUTH_TOKEN, accessor.accessToken);
}
final OAuthConsumer consumer = accessor.consumer;
if (pMap.get(OAuth.OAUTH_CONSUMER_KEY) == null) {
addParameter(OAuth.OAUTH_CONSUMER_KEY, consumer.consumerKey);
}
String signatureMethod = pMap.get(OAuth.OAUTH_SIGNATURE_METHOD);
if (signatureMethod == null) {
signatureMethod = (String) consumer.getProperty(OAuth.OAUTH_SIGNATURE_METHOD);
if (signatureMethod == null) {
signatureMethod = OAuth.HMAC_SHA1;
}
addParameter(OAuth.OAUTH_SIGNATURE_METHOD, signatureMethod);
}
if (pMap.get(OAuth.OAUTH_TIMESTAMP) == null) {
addParameter(OAuth.OAUTH_TIMESTAMP, (System.currentTimeMillis() / 1000) + "");
}
if (pMap.get(OAuth.OAUTH_NONCE) == null) {
addParameter(OAuth.OAUTH_NONCE, System.nanoTime() + "");
}
if (pMap.get(OAuth.OAUTH_VERSION) == null) {
addParameter(OAuth.OAUTH_VERSION, OAuth.VERSION_1_0);
}
if (pMap.get(OAuth.OAUTH_BODY_HASH) == null && bodyAsStream != null) {
addParameter(OAuth.OAUTH_BODY_HASH, getBodyHash());
}
this.sign(accessor);
}
public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request)
throws InvalidAuthenticationException {
OAuthMessage message = OAuthServlet.getMessage(request, null);
if (StringUtils.isEmpty(getParameter(message, OAuth.OAUTH_SIGNATURE))) {
// Is not an oauth request
return null;
}
String bodyHash = getParameter(message, OAuthConstants.OAUTH_BODY_HASH);
if (!StringUtils.isEmpty(bodyHash)) {
verifyBodyHash(request, bodyHash);
}
try {
return verifyMessage(message);
} catch (OAuthProblemException oauthException) {
// Legacy body signing is intended for backwards compatability with opensocial clients
// that assumed they could use the raw request body as a pseudo query param to get
// body signing. This assumption was born out of the limitations of the OAuth 1.0 spec which
// states that request bodies are only signed if they are form-encoded. This lead many clients
// to force a content type of application/x-www-form-urlencoded for xml/json bodies and then
// hope that receiver decoding of the body didnt have encoding issues. This didn't work out
// to well so now these clients are required to specify the correct content type. This code
// lets clients which sign using the old technique to work if they specify the correct content
// type. This support is deprecated and should be removed later.
if (allowLegacyBodySigning
&& (StringUtils.isEmpty(request.getContentType())
|| !request.getContentType().contains(OAuth.FORM_ENCODED))) {
try {
message.addParameter(readBodyString(request), "");
return verifyMessage(message);
} catch (OAuthProblemException ioe) {
// ignore, let original exception be thrown
} catch (IOException e) {
// also ignore;
}
}
throw new InvalidAuthenticationException("OAuth Authentication Failure", oauthException);
}
}
public void addParameter(String key, String value) {
addParameter(new OAuth.Parameter(key, value));
}
