@Override
public void doFilter(
ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
// Skip oauth for local connections
if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
// Read the OAuth parameters from the request
OAuthServletRequest request = new OAuthServletRequest(httpRequest);
OAuthParameters params = new OAuthParameters();
params.readRequest(request);
String consumerKey = params.getConsumerKey();
// Set the secret(s), against which we will verify the request
OAuthSecrets secrets = new OAuthSecrets();
secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));
// Check that the timestamp has not expired
String timestampStr = params.getTimestamp();
if (timestampStr == null) {
logger.warn("Missing OAuth headers");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
return;
}
long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
long currentTime = System.currentTimeMillis();
// if the message is older than 5 min it is no good
if (Math.abs(msgTime - currentTime) > 300000) {
logger.warn(
"OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
return;
}
// Verify the signature
try {
if (!OAuthSignature.verify(request, params, secrets)) {
logger.warn("Invalid OAuth signature");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
return;
}
} catch (OAuthSignatureException e) {
logger.warn("OAuth exception", e);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
return;
}
}
filterChain.doFilter(servletRequest, servletResponse);
}
protected ArrayList<NameValuePair> buildParameters(OAuthParameters params) {
ArrayList<NameValuePair> tuples = new ArrayList<NameValuePair>();
tuples.add(new BasicNameValuePair(OAuthConstants.MODE, "client_auth"));
params.put(OAuthConstants.MODE, "client_auth");
tuples.add(new BasicNameValuePair(OAuthConstants.USERNAME, username));
params.put(OAuthConstants.USERNAME, username);
tuples.add(new BasicNameValuePair(OAuthConstants.PASSWORD, password));
params.put(OAuthConstants.PASSWORD, password);
return tuples;
}
protected ArrayList<NameValuePair> buildParameters(OAuthParameters params) {
ArrayList<NameValuePair> tuples = new ArrayList<NameValuePair>();
tuples.add(new BasicNameValuePair(OAuthConstants.MODE, "twitter_auth"));
params.put(OAuthConstants.MODE, "twitter_auth");
tuples.add(new BasicNameValuePair(OAuthConstants.X_TOKEN, twitterToken));
params.put(OAuthConstants.X_TOKEN, twitterToken);
tuples.add(new BasicNameValuePair(OAuthConstants.X_SECRET, twitterSecret));
params.put(OAuthConstants.X_SECRET, twitterSecret);
return tuples;
}
private String getSignatureBaseString(HttpPost req, OAuthParameters params) {
final String method = req.getMethod();
final String url = Uri.encode(req.getURI().toString());
final String sortedParams = Uri.encode(params.getSortedEncodedParamsAsString());
return method + '&' + url + '&' + sortedParams;
}
public void signForAccessToken(HttpPost req) throws FiveHundredException {
OAuthParameters params = new OAuthParameters(this.consumerKey);
final ArrayList<NameValuePair> tuples = buildParameters(params);
params.put(OAuthConstants.TOKEN, this.tokenKey);
// generate the base string for signature.
String str = getSignatureBaseString(req, params);
str = getSignature(str, consumerSecret, this.tokenSecret);
params.put(OAuthConstants.SIGNATURE, str);
// get the authorization header
str = params.getAuthorizationHeaderValue();
req.addHeader(OAuthConstants.HEADER, str);
try {
req.setEntity(new UrlEncodedFormEntity(tuples));
} catch (UnsupportedEncodingException e) {
throw new FiveHundredException(e);
}
}
/**
* Test a Twitter status update.
*
* <p>Specifically, this test includes some characters (spaces) in one of the parameters which
* were incorrectly encoded (as '+' instead of "%20") with the original encoding routine.
*/
public void testTwitterSig() {
final String TWITTERTEST_SIGNATURE = "yfrn/p/4Hnp+XcwUBVfW0cSgc+o=";
final String TWITTERTEST_SIGNATURE_ENC = "yfrn%2Fp%2F4Hnp%2BXcwUBVfW0cSgc%2Bo%3D";
DummyRequest request =
new DummyRequest()
.requestMethod("POST")
.requestURL("http://twitter.com/statuses/update.json")
.parameterValue("status", "Hello Twitter World");
OAuthParameters params =
new OAuthParameters()
.consumerKey(CONSUMER_KEY)
.token(ACCESS_TOKEN)
.signatureMethod(SIGNATURE_METHOD)
.timestamp(TIMESTAMP)
.nonce(NONCE)
.version(VERSION);
OAuthSecrets secrets =
new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");
// generate digital signature; ensure it matches the OAuth spec
String signature = null;
try {
signature = OAuthSignature.generate(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
assertEquals(signature, TWITTERTEST_SIGNATURE);
OAuthParameters saved = (OAuthParameters) params.clone();
try {
// sign the request; clear params; parse params from request;
// ensure they match original
OAuthSignature.sign(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
// signing the request should not have modified the original parameters
assertTrue(params.equals(saved));
assertTrue(params.getSignature() == null);
params = new OAuthParameters();
params.readRequest(request);
assertEquals(params.getConsumerKey(), CONSUMER_KEY);
assertEquals(params.getToken(), ACCESS_TOKEN);
assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
assertEquals(params.getTimestamp(), TIMESTAMP);
assertEquals(params.getNonce(), NONCE);
assertEquals(params.getVersion(), VERSION);
assertEquals(params.getSignature(), TWITTERTEST_SIGNATURE);
try {
// verify signature using request that was just signed
assertTrue(OAuthSignature.verify(request, params, secrets));
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
}
public void testRSASHA1() {
DummyRequest request =
new DummyRequest()
.requestMethod("GET")
.requestURL("http://photos.example.net/photos")
.parameterValue("file", "vacaction.jpg")
.parameterValue("size", "original");
OAuthParameters params =
new OAuthParameters()
.realm(REALM)
.consumerKey(CONSUMER_KEY)
.signatureMethod(RSA_SIGNATURE_METHOD)
.timestamp(RSA_TIMESTAMP)
.nonce(RSA_NONCE)
.version(VERSION);
OAuthSecrets secrets = new OAuthSecrets().consumerSecret(RSA_PRIVKEY);
// generate digital signature; ensure it matches the OAuth spec
String signature = null;
try {
signature = OAuthSignature.generate(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
assertEquals(signature, RSA_SIGNATURE);
OAuthParameters saved = (OAuthParameters) params.clone();
try {
// sign the request; clear params; parse params from request; ensure they match original
OAuthSignature.sign(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
// signing the request should not have modified the original parameters
assertTrue(params.equals(saved));
assertTrue(params.getSignature() == null);
params = new OAuthParameters();
params.readRequest(request);
assertEquals(params.getRealm(), REALM);
assertEquals(params.getConsumerKey(), CONSUMER_KEY);
// assertEquals(params.getToken(), ACCESS_TOKEN);
assertEquals(params.getSignatureMethod(), RSA_SIGNATURE_METHOD);
assertEquals(params.getTimestamp(), RSA_TIMESTAMP);
assertEquals(params.getNonce(), RSA_NONCE);
assertEquals(params.getVersion(), VERSION);
assertEquals(params.getSignature(), RSA_SIGNATURE);
// perform the same encoding as done by OAuthParameters.writeRequest
// to see if the encoded signature will match
assertEquals(
UriComponent.encode(params.getSignature(), UriComponent.Type.UNRESERVED),
RSA_SIGNATURE_ENCODED);
secrets = new OAuthSecrets().consumerSecret(RSA_CERTIFICATE);
try {
// verify signature using request that was just signed
assertTrue(OAuthSignature.verify(request, params, secrets));
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
}
/** Perform the test. */
public void testHMACSHA1() {
DummyRequest request =
new DummyRequest()
.requestMethod("GET")
.requestURL("http://photos.example.net/photos")
.parameterValue("file", "vacation.jpg")
.parameterValue("size", "original");
OAuthParameters params =
new OAuthParameters()
.realm(REALM)
.consumerKey(CONSUMER_KEY)
.token(ACCESS_TOKEN)
.signatureMethod(SIGNATURE_METHOD)
.timestamp(TIMESTAMP)
.nonce(NONCE)
.version(VERSION);
OAuthSecrets secrets =
new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");
// generate digital signature; ensure it matches the OAuth spec
String signature = null;
try {
signature = OAuthSignature.generate(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
assertEquals(signature, SIGNATURE);
OAuthParameters saved = (OAuthParameters) params.clone();
try {
// sign the request; clear params; parse params from request; ensure they match original
OAuthSignature.sign(request, params, secrets);
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
// signing the request should not have modified the original parameters
assertTrue(params.equals(saved));
assertTrue(params.getSignature() == null);
params = new OAuthParameters();
params.readRequest(request);
assertEquals(params.getRealm(), REALM);
assertEquals(params.getConsumerKey(), CONSUMER_KEY);
assertEquals(params.getToken(), ACCESS_TOKEN);
assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
assertEquals(params.getTimestamp(), TIMESTAMP);
assertEquals(params.getNonce(), NONCE);
assertEquals(params.getVersion(), VERSION);
assertEquals(params.getSignature(), SIGNATURE);
try {
// verify signature using request that was just signed
assertTrue(OAuthSignature.verify(request, params, secrets));
} catch (OAuthSignatureException se) {
fail(se.getMessage());
}
}
