[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined

Antonio Sanso (JIRA) Sat, 21 Apr 2012 01:11:16 -0700

    [ 
https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258807#comment-13258807
 ]


Antonio Sanso commented on AMBER-15:
------------------------------------

Hi Sanada, 

I basically agree with your analysis and I am not against getting rid of the 
Oauth 1.0 check (as also highlighted in other comments here).
The basic point here is different though.

If you run the test I have added in my patch 

testCreateBodyHeaderMixedTokensAndWrongVersion 

that is basically the original testCreateBodyHeaderMixedTokens and apply your 
patch the build fails.
Instead without your patch it correctly succeed.

Now, apart your patch, I have been trying to figure out the original issue that 
led Ben to open this ticket but I could not figure out.

Any thought?


                
> [oauth2-resourceserver] resource access validation always fails if there is 
> more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBER-15
>                 URL: https://issues.apache.org/jira/browse/AMBER-15
>             Project: Amber
>          Issue Type: Bug
>          Components: Server
>            Reporter: Ben Noordhuis
>            Assignee: Antonio Sanso
>         Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in 
> OAuthAccessResourceRequest.validate(). Two of the validators will throw and 
> the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] 
> but one edge case is that a request with a 2.0 query token and 1.0 
> authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. 
> BodyOAuthValidator always throws that when the request isn't 
> application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth 
> abc123,oauth_signature_method="HMAC-SHA1"' 
> http://localhost:8080/?oauth_token=abc123

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined

Reply via email to