Example #1
0
  @GET
  @Produces("text/plain")
  public String handle(
      @QueryParam("file") String file, @QueryParam("size") String size, @Context HttpContext hc) {

    OAuthServerRequest osr = new OAuthServerRequest(hc.getRequest());

    OAuthSecrets secrets =
        new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");

    OAuthParameters params = new OAuthParameters().readRequest(osr);

    // ensure query parameters are as expected
    assertEquals(file, "vacation.jpg");
    assertEquals(size, "original");

    // ensure query parameters correctly parsed into OAuth parameters object
    assertEquals(params.getConsumerKey(), "dpf43f3p2l4k3l03");
    assertEquals(params.getToken(), "nnch734d00sl2jdk");
    assertEquals(params.getSignatureMethod(), "HMAC-SHA1");
    assertEquals(params.getTimestamp(), "1191242096");
    assertEquals(params.getNonce(), "kllo9940pd9333jh");
    assertEquals(params.getVersion(), "1.0");

    try {
      // verify the HMAC-SHA1 signature
      assertTrue(OAuthSignature.verify(osr, params, secrets));
    } catch (OAuthSignatureException ose) {
      fail(ose.getMessage());
    }

    return "PHOTO";
  }
Example #2
0
  @Override
  public void doFilter(
      ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
      throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
    HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

    // Skip oauth for local connections
    if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
      // Read the OAuth parameters from the request
      OAuthServletRequest request = new OAuthServletRequest(httpRequest);
      OAuthParameters params = new OAuthParameters();
      params.readRequest(request);

      String consumerKey = params.getConsumerKey();

      // Set the secret(s), against which we will verify the request
      OAuthSecrets secrets = new OAuthSecrets();
      secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));

      // Check that the timestamp has not expired
      String timestampStr = params.getTimestamp();
      if (timestampStr == null) {
        logger.warn("Missing OAuth headers");
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
        return;
      }

      long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
      long currentTime = System.currentTimeMillis();

      // if the message is older than 5 min it is no good
      if (Math.abs(msgTime - currentTime) > 300000) {
        logger.warn(
            "OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
        return;
      }

      // Verify the signature
      try {
        if (!OAuthSignature.verify(request, params, secrets)) {
          logger.warn("Invalid OAuth signature");

          httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
          return;
        }
      } catch (OAuthSignatureException e) {
        logger.warn("OAuth exception", e);

        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
        return;
      }
    }

    filterChain.doFilter(servletRequest, servletResponse);
  }