コード例 #1
0
 private void validateMessage(OAuthAccessor accessor, MessageInfo info, boolean tokenEndpoint)
     throws OAuthException, IOException, URISyntaxException {
   info.message.validateMessage(accessor, new FakeTimeOAuthValidator());
   String bodyHash = info.message.getParameter("oauth_body_hash");
   if (tokenEndpoint && bodyHash != null) {
     throw new RuntimeException("Can't have body hash on token endpoints");
   }
   SignatureType sigType =
       OAuthUtil.getSignatureType(tokenEndpoint, info.request.getHeader("Content-Type"));
   switch (sigType) {
     case URL_ONLY:
       break;
     case URL_AND_FORM_PARAMS:
       if (bodyHash != null) {
         throw new RuntimeException("Can't have body hash in form-encoded request");
       }
       break;
     case URL_AND_BODY_HASH:
       if (bodyHash == null) {
         throw new RuntimeException("Requiring oauth_body_hash parameter");
       }
       byte[] received = Base64.decodeBase64(CharsetUtil.getUtf8Bytes(bodyHash));
       byte[] expected = DigestUtils.sha(info.rawBody);
       if (!Arrays.equals(received, expected)) {
         throw new RuntimeException("oauth_body_hash mismatch");
       }
   }
 }
コード例 #2
0
 public static void verifyBodyHash(HttpServletRequest request, String oauthBodyHash)
     throws InvalidAuthenticationException {
   // we are doing body hash signing which is not permitted for form-encoded data
   if (request.getContentType() != null && request.getContentType().contains(OAuth.FORM_ENCODED)) {
     throw new AuthenticationHandler.InvalidAuthenticationException(
         "Cannot use oauth_body_hash with a Content-Type of application/x-www-form-urlencoded",
         null);
   } else {
     try {
       byte[] rawBody = readBody(request);
       byte[] received = Base64.decodeBase64(CharsetUtil.getUtf8Bytes(oauthBodyHash));
       byte[] expected = DigestUtils.sha(rawBody);
       if (!Arrays.equals(received, expected)) {
         throw new AuthenticationHandler.InvalidAuthenticationException(
             "oauth_body_hash failed verification", null);
       }
     } catch (IOException ioe) {
       throw new AuthenticationHandler.InvalidAuthenticationException(
           "Unable to read content body for oauth_body_hash verification", null);
     }
   }
 }