Hi, It's probably in the same area but not the same. My fix solves the issue that the validator/extractor accidentally destructs the HTTP POST/PUT payload when the Content-Type is application/x-www-form-urlencoded as the HttpServletRequest's parameter related methods try to decode the parameters from the body.
For AMBER-15, there are two things to consider: 1) We need to make sure the list of parameter style validators/extractors don't interfere with each other 2) We also want to make sure that only one access token is used. The current seems to be fine even though we try to construct the exception instances. I tested Query/Header styles but not the body one. Do we have a test case showing the problem? Thanks, Raymond On May 2, 2012, at 8:12 AM, Antonio Sanso wrote: > Good stuff Raymond. > > Does this fix/is related to AMBER-15? > > Thanks > > Antonio > > On May 1, 2012, at 5:34 AM, <[email protected]> <[email protected]> wrote: > >> Author: rfeng >> Date: Tue May 1 03:34:41 2012 >> New Revision: 1332515 >> >> URL: http://svn.apache.org/viewvc?rev=1332515&view=rev >> Log: >> Fix the code to not mess up with HTTP POST body >> >> Modified: >> >> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >> >> Modified: >> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >> URL: >> http://svn.apache.org/viewvc/incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java?rev=1332515&r1=1332514&r2=1332515&view=diff >> ============================================================================== >> --- >> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >> (original) >> +++ >> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >> Tue May 1 03:34:41 2012 >> @@ -21,6 +21,9 @@ >> >> package org.apache.amber.oauth2.rs.extractor; >> >> +import java.io.UnsupportedEncodingException; >> +import java.net.URLDecoder; >> + >> import javax.servlet.http.HttpServletRequest; >> >> import org.apache.amber.oauth2.common.OAuth; >> @@ -34,16 +37,48 @@ public class BearerQueryTokenExtractor i >> >> @Override >> public String getAccessToken(HttpServletRequest request) { >> - String token = request.getParameter(OAuth.OAUTH_BEARER_TOKEN); >> + String token = getQueryParameter(request, OAuth.OAUTH_BEARER_TOKEN); >> if (token == null) { >> - token = request.getParameter(OAuth.OAUTH_TOKEN); >> + token = getQueryParameter(request, OAuth.OAUTH_TOKEN); >> } >> return token; >> } >> >> @Override >> public String getAccessToken(HttpServletRequest request, String >> tokenName) { >> - return request.getParameter(tokenName); >> + return getQueryParameter(request, tokenName); >> + } >> + >> + /** >> + * A replacement for HttpServletRequest.getParameter() as it will mess >> up with HTTP POST body >> + * @param request >> + * @param name >> + * @return >> + */ >> + private String getQueryParameter(HttpServletRequest request, String >> name) { >> + String query = request.getQueryString(); >> + if (query == null) { >> + return null; >> + } >> + String[] params = query.split("&"); >> + for (String param : params) { >> + try { >> + param = URLDecoder.decode(param, "UTF-8"); >> + } catch (UnsupportedEncodingException e) { >> + // Ignore >> + } >> + int index = param.indexOf('='); >> + String key = param; >> + String value = null; >> + if (index != -1) { >> + key = param.substring(0, index); >> + value = param.substring(index + 1); >> + } >> + if (key.equals(name)) { >> + return value; >> + } >> + } >> + return null; >> } >> >> } >> >> >
