[
https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257377#comment-13257377
]
sndyuk commented on AMBER-15:
-----------------------------
I wrote the patch.
I think it is correct code that confirmed to OAuth 2.0.
https://github.com/apache/amber/pull/1
What do you think?
> [oauth2-resourceserver] resource access validation always fails if there is
> more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
>
> Why? Because the headers, body and query validators are tried in turn in
> OAuthAccessResourceRequest.validate(). Two of the validators will throw and
> the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1]
> but one edge case is that a request with a 2.0 query token and 1.0
> authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either.
> BodyOAuthValidator always throws that when the request isn't
> application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth
> abc123,oauth_signature_method="HMAC-SHA1"'
> http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
