@Override public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; // Skip oauth for local connections if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) { // Read the OAuth parameters from the request OAuthServletRequest request = new OAuthServletRequest(httpRequest); OAuthParameters params = new OAuthParameters(); params.readRequest(request); String consumerKey = params.getConsumerKey(); // Set the secret(s), against which we will verify the request OAuthSecrets secrets = new OAuthSecrets(); secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey)); // Check that the timestamp has not expired String timestampStr = params.getTimestamp(); if (timestampStr == null) { logger.warn("Missing OAuth headers"); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers"); return; } long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds long currentTime = System.currentTimeMillis(); // if the message is older than 5 min it is no good if (Math.abs(msgTime - currentTime) > 300000) { logger.warn( "OAuth message time out, msg time: " + msgTime + " current time: " + currentTime); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired"); return; } // Verify the signature try { if (!OAuthSignature.verify(request, params, secrets)) { logger.warn("Invalid OAuth signature"); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature"); return; } } catch (OAuthSignatureException e) { logger.warn("OAuth exception", e); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request"); return; } } filterChain.doFilter(servletRequest, servletResponse); }
public void testRSASHA1() { DummyRequest request = new DummyRequest() .requestMethod("GET") .requestURL("http://photos.example.net/photos") .parameterValue("file", "vacaction.jpg") .parameterValue("size", "original"); OAuthParameters params = new OAuthParameters() .realm(REALM) .consumerKey(CONSUMER_KEY) .signatureMethod(RSA_SIGNATURE_METHOD) .timestamp(RSA_TIMESTAMP) .nonce(RSA_NONCE) .version(VERSION); OAuthSecrets secrets = new OAuthSecrets().consumerSecret(RSA_PRIVKEY); // generate digital signature; ensure it matches the OAuth spec String signature = null; try { signature = OAuthSignature.generate(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } assertEquals(signature, RSA_SIGNATURE); OAuthParameters saved = (OAuthParameters) params.clone(); try { // sign the request; clear params; parse params from request; ensure they match original OAuthSignature.sign(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } // signing the request should not have modified the original parameters assertTrue(params.equals(saved)); assertTrue(params.getSignature() == null); params = new OAuthParameters(); params.readRequest(request); assertEquals(params.getRealm(), REALM); assertEquals(params.getConsumerKey(), CONSUMER_KEY); // assertEquals(params.getToken(), ACCESS_TOKEN); assertEquals(params.getSignatureMethod(), RSA_SIGNATURE_METHOD); assertEquals(params.getTimestamp(), RSA_TIMESTAMP); assertEquals(params.getNonce(), RSA_NONCE); assertEquals(params.getVersion(), VERSION); assertEquals(params.getSignature(), RSA_SIGNATURE); // perform the same encoding as done by OAuthParameters.writeRequest // to see if the encoded signature will match assertEquals( UriComponent.encode(params.getSignature(), UriComponent.Type.UNRESERVED), RSA_SIGNATURE_ENCODED); secrets = new OAuthSecrets().consumerSecret(RSA_CERTIFICATE); try { // verify signature using request that was just signed assertTrue(OAuthSignature.verify(request, params, secrets)); } catch (OAuthSignatureException se) { fail(se.getMessage()); } }
/** * Test a Twitter status update. * * <p>Specifically, this test includes some characters (spaces) in one of the parameters which * were incorrectly encoded (as '+' instead of "%20") with the original encoding routine. */ public void testTwitterSig() { final String TWITTERTEST_SIGNATURE = "yfrn/p/4Hnp+XcwUBVfW0cSgc+o="; final String TWITTERTEST_SIGNATURE_ENC = "yfrn%2Fp%2F4Hnp%2BXcwUBVfW0cSgc%2Bo%3D"; DummyRequest request = new DummyRequest() .requestMethod("POST") .requestURL("http://twitter.com/statuses/update.json") .parameterValue("status", "Hello Twitter World"); OAuthParameters params = new OAuthParameters() .consumerKey(CONSUMER_KEY) .token(ACCESS_TOKEN) .signatureMethod(SIGNATURE_METHOD) .timestamp(TIMESTAMP) .nonce(NONCE) .version(VERSION); OAuthSecrets secrets = new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00"); // generate digital signature; ensure it matches the OAuth spec String signature = null; try { signature = OAuthSignature.generate(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } assertEquals(signature, TWITTERTEST_SIGNATURE); OAuthParameters saved = (OAuthParameters) params.clone(); try { // sign the request; clear params; parse params from request; // ensure they match original OAuthSignature.sign(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } // signing the request should not have modified the original parameters assertTrue(params.equals(saved)); assertTrue(params.getSignature() == null); params = new OAuthParameters(); params.readRequest(request); assertEquals(params.getConsumerKey(), CONSUMER_KEY); assertEquals(params.getToken(), ACCESS_TOKEN); assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD); assertEquals(params.getTimestamp(), TIMESTAMP); assertEquals(params.getNonce(), NONCE); assertEquals(params.getVersion(), VERSION); assertEquals(params.getSignature(), TWITTERTEST_SIGNATURE); try { // verify signature using request that was just signed assertTrue(OAuthSignature.verify(request, params, secrets)); } catch (OAuthSignatureException se) { fail(se.getMessage()); } }
/** Perform the test. */ public void testHMACSHA1() { DummyRequest request = new DummyRequest() .requestMethod("GET") .requestURL("http://photos.example.net/photos") .parameterValue("file", "vacation.jpg") .parameterValue("size", "original"); OAuthParameters params = new OAuthParameters() .realm(REALM) .consumerKey(CONSUMER_KEY) .token(ACCESS_TOKEN) .signatureMethod(SIGNATURE_METHOD) .timestamp(TIMESTAMP) .nonce(NONCE) .version(VERSION); OAuthSecrets secrets = new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00"); // generate digital signature; ensure it matches the OAuth spec String signature = null; try { signature = OAuthSignature.generate(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } assertEquals(signature, SIGNATURE); OAuthParameters saved = (OAuthParameters) params.clone(); try { // sign the request; clear params; parse params from request; ensure they match original OAuthSignature.sign(request, params, secrets); } catch (OAuthSignatureException se) { fail(se.getMessage()); } // signing the request should not have modified the original parameters assertTrue(params.equals(saved)); assertTrue(params.getSignature() == null); params = new OAuthParameters(); params.readRequest(request); assertEquals(params.getRealm(), REALM); assertEquals(params.getConsumerKey(), CONSUMER_KEY); assertEquals(params.getToken(), ACCESS_TOKEN); assertEquals(params.getSignatureMethod(), SIGNATURE_METHOD); assertEquals(params.getTimestamp(), TIMESTAMP); assertEquals(params.getNonce(), NONCE); assertEquals(params.getVersion(), VERSION); assertEquals(params.getSignature(), SIGNATURE); try { // verify signature using request that was just signed assertTrue(OAuthSignature.verify(request, params, secrets)); } catch (OAuthSignatureException se) { fail(se.getMessage()); } }