@GET
@Produces("text/plain")
public String handle(
@QueryParam("file") String file, @QueryParam("size") String size, @Context HttpContext hc) {
OAuthServerRequest osr = new OAuthServerRequest(hc.getRequest());
OAuthSecrets secrets =
new OAuthSecrets().consumerSecret("kd94hf93k423kf44").tokenSecret("pfkkdhi9sl3r4s00");
OAuthParameters params = new OAuthParameters().readRequest(osr);
// ensure query parameters are as expected
assertEquals(file, "vacation.jpg");
assertEquals(size, "original");
// ensure query parameters correctly parsed into OAuth parameters object
assertEquals(params.getConsumerKey(), "dpf43f3p2l4k3l03");
assertEquals(params.getToken(), "nnch734d00sl2jdk");
assertEquals(params.getSignatureMethod(), "HMAC-SHA1");
assertEquals(params.getTimestamp(), "1191242096");
assertEquals(params.getNonce(), "kllo9940pd9333jh");
assertEquals(params.getVersion(), "1.0");
try {
// verify the HMAC-SHA1 signature
assertTrue(OAuthSignature.verify(osr, params, secrets));
} catch (OAuthSignatureException ose) {
fail(ose.getMessage());
}
return "PHOTO";
}
@Override
public void doFilter(
ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
// Skip oauth for local connections
if (!"127.0.0.1".equals(servletRequest.getRemoteAddr())) {
// Read the OAuth parameters from the request
OAuthServletRequest request = new OAuthServletRequest(httpRequest);
OAuthParameters params = new OAuthParameters();
params.readRequest(request);
String consumerKey = params.getConsumerKey();
// Set the secret(s), against which we will verify the request
OAuthSecrets secrets = new OAuthSecrets();
secrets.setConsumerSecret(m_tokenStore.getToken(consumerKey));
// Check that the timestamp has not expired
String timestampStr = params.getTimestamp();
if (timestampStr == null) {
logger.warn("Missing OAuth headers");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing OAuth headers");
return;
}
long msgTime = Util.parseLong(timestampStr) * 1000L; // Message time is in seconds
long currentTime = System.currentTimeMillis();
// if the message is older than 5 min it is no good
if (Math.abs(msgTime - currentTime) > 300000) {
logger.warn(
"OAuth message time out, msg time: " + msgTime + " current time: " + currentTime);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Message expired");
return;
}
// Verify the signature
try {
if (!OAuthSignature.verify(request, params, secrets)) {
logger.warn("Invalid OAuth signature");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth signature");
return;
}
} catch (OAuthSignatureException e) {
logger.warn("OAuth exception", e);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid OAuth request");
return;
}
}
filterChain.doFilter(servletRequest, servletResponse);
}