Example #1
0
  @Override
  public void doFilter(
      ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
      throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
    HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

    // Skip oauth for local connections
    if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
      // Read the OAuth parameters from the request
      OAuthServletRequest request = new OAuthServletRequest(httpRequest);
      OAuthParameters params = new OAuthParameters();
      params.readRequest(request);

      String consumerKey = params.getConsumerKey();

      // Set the secret(s), against which we will verify the request
      OAuthSecrets secrets = new OAuthSecrets();
      secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));

      // Check that the timestamp has not expired
      String timestampStr = params.getTimestamp();
      if (timestampStr == null) {
        logger.warn("Missing OAuth headers");
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
        return;
      }

      long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
      long currentTime = System.currentTimeMillis();

      // if the message is older than 5 min it is no good
      if (Math.abs(msgTime - currentTime) > 300000) {
        logger.warn(
            "OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
        return;
      }

      // Verify the signature
      try {
        if (!OAuthSignature.verify(request, params, secrets)) {
          logger.warn("Invalid OAuth signature");

          httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
          return;
        }
      } catch (OAuthSignatureException e) {
        logger.warn("OAuth exception", e);

        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
        return;
      }
    }

    filterChain.doFilter(servletRequest, servletResponse);
  }
  public void testRSASHA1() {
    DummyRequest request =
        new DummyRequest()
            .requestMethod("GET")
            .requestURL("http://photos.example.net/photos")
            .parameterValue("file", "vacaction.jpg")
            .parameterValue("size", "original");

    OAuthParameters params =
        new OAuthParameters()
            .realm(REALM)
            .consumerKey(CONSUMER_KEY)
            .signatureMethod(RSA_SIGNATURE_METHOD)
            .timestamp(RSA_TIMESTAMP)
            .nonce(RSA_NONCE)
            .version(VERSION);

    OAuthSecrets secrets = new OAuthSecrets().consumerSecret(RSA_PRIVKEY);

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
    assertEquals(signature, RSA_SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request; ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getRealm(), REALM);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    //        assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), RSA_SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), RSA_TIMESTAMP);
    assertEquals(params.getNonce(), RSA_NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), RSA_SIGNATURE);

    // perform the same encoding as done by OAuthParameters.writeRequest
    // to see if the encoded signature will match
    assertEquals(
        UriComponent.encode(params.getSignature(), UriComponent.Type.UNRESERVED),
        RSA_SIGNATURE_ENCODED);

    secrets = new OAuthSecrets().consumerSecret(RSA_CERTIFICATE);
    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }
  /**
   * Test a Twitter status update.
   *
   * <p>Specifically, this test includes some characters (spaces) in one of the parameters which
   * were incorrectly encoded (as '+' instead of "%20") with the original encoding routine.
   */
  public void testTwitterSig() {
    final String TWITTERTEST_SIGNATURE = "yfrn/p/4Hnp+XcwUBVfW0cSgc+o=";
    final String TWITTERTEST_SIGNATURE_ENC = "yfrn%2Fp%2F4Hnp%2BXcwUBVfW0cSgc%2Bo%3D";

    DummyRequest request =
        new DummyRequest()
            .requestMethod("POST")
            .requestURL("http://twitter.com/statuses/update.json")
            .parameterValue("status", "Hello Twitter World");

    OAuthParameters params =
        new OAuthParameters()
            .consumerKey(CONSUMER_KEY)
            .token(ACCESS_TOKEN)
            .signatureMethod(SIGNATURE_METHOD)
            .timestamp(TIMESTAMP)
            .nonce(NONCE)
            .version(VERSION);

    OAuthSecrets secrets =
        new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    assertEquals(signature, TWITTERTEST_SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request;
      // ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), TIMESTAMP);
    assertEquals(params.getNonce(), NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), TWITTERTEST_SIGNATURE);

    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }
  /** Perform the test. */
  public void testHMACSHA1() {

    DummyRequest request =
        new DummyRequest()
            .requestMethod("GET")
            .requestURL("http://photos.example.net/photos")
            .parameterValue("file", "vacation.jpg")
            .parameterValue("size", "original");

    OAuthParameters params =
        new OAuthParameters()
            .realm(REALM)
            .consumerKey(CONSUMER_KEY)
            .token(ACCESS_TOKEN)
            .signatureMethod(SIGNATURE_METHOD)
            .timestamp(TIMESTAMP)
            .nonce(NONCE)
            .version(VERSION);

    OAuthSecrets secrets =
        new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");

    // generate digital signature; ensure it matches the OAuth spec
    String signature = null;

    try {
      signature = OAuthSignature.generate(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    assertEquals(signature, SIGNATURE);

    OAuthParameters saved = (OAuthParameters) params.clone();

    try {
      // sign the request; clear params; parse params from request; ensure they match original
      OAuthSignature.sign(request, params, secrets);
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }

    // signing the request should not have modified the original parameters
    assertTrue(params.equals(saved));
    assertTrue(params.getSignature() == null);

    params = new OAuthParameters();
    params.readRequest(request);
    assertEquals(params.getRealm(), REALM);
    assertEquals(params.getConsumerKey(), CONSUMER_KEY);
    assertEquals(params.getToken(), ACCESS_TOKEN);
    assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD);
    assertEquals(params.getTimestamp(), TIMESTAMP);
    assertEquals(params.getNonce(), NONCE);
    assertEquals(params.getVersion(), VERSION);
    assertEquals(params.getSignature(), SIGNATURE);

    try {
      // verify signature using request that was just signed
      assertTrue(OAuthSignature.verify(request, params, secrets));
    } catch (OAuthSignatureException se) {
      fail(se.getMessage());
    }
  }