/** * Throw an exception if the nonce has been validated previously. * * @return the earliest point in time at which a call to releaseGarbage will actually release some * garbage, or null to indicate there's nothing currently stored that will become garbage in * future. */ protected Date validateNonce(OAuthMessage message, long timestamp, long currentTimeMsec) throws IOException, OAuthProblemException { UsedNonce nonce = new UsedNonce( timestamp, message.getParameter(OAuth.OAUTH_NONCE), message.getConsumerKey(), message.getToken()); /* * The OAuth standard requires the token to be omitted from the stored * nonce. But I include it, to harmonize with a Consumer that generates * nonces using several independent computers, each with its own token. */ boolean valid = false; synchronized (usedNonces) { valid = usedNonces.add(nonce); } if (!valid) { throw new OAuthProblemException(OAuth.Problems.NONCE_USED); } return removeOldNonces(currentTimeMsec); }
private OAuthEntry getValidatedEntry(OAuthMessage requestMessage) throws IOException, ServletException, OAuthException, URISyntaxException { OAuthEntry entry = dataStore.getEntry(requestMessage.getToken()); if (entry == null) throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED); if (entry.type != OAuthEntry.Type.REQUEST) throw new OAuthProblemException(OAuth.Problems.TOKEN_USED); if (entry.isExpired()) throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED); // find consumer key, compare with supplied value, if present. if (requestMessage.getConsumerKey() == null) { OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT); e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CONSUMER_KEY); throw e; } String consumerKey = entry.consumerKey; if (!consumerKey.equals(requestMessage.getConsumerKey())) throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_REFUSED); OAuthConsumer consumer = dataStore.getConsumer(consumerKey); if (consumer == null) throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN); OAuthAccessor accessor = new OAuthAccessor(consumer); accessor.requestToken = entry.token; accessor.tokenSecret = entry.tokenSecret; VALIDATOR.validateMessage(requestMessage, accessor); return entry; }
///////////////////// // deal with authorization request private void authorizeRequestToken( HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws ServletException, IOException, OAuthException, URISyntaxException { OAuthMessage requestMessage = OAuthServlet.getMessage(servletRequest, null); if (requestMessage.getToken() == null) { // MALFORMED REQUEST servletResponse.sendError( HttpServletResponse.SC_BAD_REQUEST, "Authentication token not found"); return; } OAuthEntry entry = dataStore.getEntry(requestMessage.getToken()); if (entry == null) { servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "OAuth Entry not found"); return; } OAuthConsumer consumer = dataStore.getConsumer(entry.consumerKey); // Extremely rare case where consumer dissappears if (consumer == null) { servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "consumer for entry not found"); return; } // A flag to deal with protocol flaws in OAuth/1.0 Boolean securityThreat_2009_1 = !entry.callbackUrlSigned; // Check for a callback in the oauth entry String callback = entry.callbackUrl; if (callback == null) { // see if there's a callback in the url params callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK); } if (callback == null) { // see if the consumer has a callback callback = consumer.callbackURL; } // The token is disabled if you try to convert to an access token prior to authorization if (entry.type == OAuthEntry.Type.DISABLED) { servletResponse.sendError( HttpServletResponse.SC_FORBIDDEN, "This token is disabled, please reinitate login"); return; } // Redirect to a UI flow if the token is not authorized if (!entry.authorized) { // TBD -- need to decode encrypted payload somehow.. if (this.oauthAuthorizeAction.startsWith("http")) { // Redirect to authorization page with params // Supply standard set of params // TBD } else { // Use internal forward to a jsp page servletRequest.setAttribute("OAUTH_DATASTORE", dataStore); servletRequest.setAttribute("OAUTH_ENTRY", entry); servletRequest.setAttribute("CALLBACK", callback); servletRequest.setAttribute("TOKEN", entry.token); servletRequest.setAttribute("CONSUMER", consumer); servletRequest.setAttribute("SECURITY_THREAT_2009_1", securityThreat_2009_1); servletRequest .getRequestDispatcher(oauthAuthorizeAction) .forward(servletRequest, servletResponse); } return; } // If we're here then the entry has been authorized // redirect to callback if (callback == null || "oob".equals(callback)) { // consumer did not specify a callback servletResponse.setContentType("text/plain"); PrintWriter out = servletResponse.getWriter(); out.write("Token successfully authorized.\n"); if (entry.callbackToken != null) { // Usability fail. out.write("Please enter code " + entry.callbackToken + " at the consumer."); } } else { callback = OAuth.addParameters(callback, OAuth.OAUTH_TOKEN, entry.token); // Add user_id to the callback callback = OAuth.addParameters(callback, "user_id", entry.userId); if (entry.callbackToken != null) { callback = OAuth.addParameters(callback, OAuthConstants.OAUTH_VERIFIER, entry.callbackToken); } servletResponse.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY); servletResponse.setHeader("Location", callback); } }