Hi,
When I use Restlet (Acutally Noelios) OAuth together with OAuth lib from
Netflix, there's inconsistent in handling OAuth and non-oauth parameters and
causes invalid signature exception later on in
Noelios OAuthHelper saves all parameters (OAuth and Query parameters, for
example) into its OAuthMessage's arrtibutes.
see the code snippet from OAuthHelper.java:
// Query parameters.
for (final org.restlet.data.Parameter p : request.getResourceRef()
.getQueryAsForm()) {
parameters.add(new OAuth.Parameter(p.getName(), p.getValue()));
}
However, in Netflix's OAuthSignatureMethod class, the function "validate" where
the signature of the base string is calculated from both the OAuthMessage
arrtibutes PLUS the request parameters. See the code snippets in the function
"getBaseString(OAuthMessage message)"
parameters = new ArrayList<Map.Entry<String, String>>();
parameters.addAll(OAuth.decodeForm(message.URL.substring(q + 1)));
//!!! here we got duplicated query parameters !!!
parameters.addAll(message.getParameters());
------
So My fix to this problem in OAuthGuard is to use my own "genMessage" function
to replace the one at:
// old
final OAuthMessage requestMessage = OAuthHelper.getMessage(request);
// mine
final OAuthMessage requestMessage = _getMessage(request); // my implementation,
basically I just commented out few lines of code where query parameters are
involved.
I am not 100% sure my hack is correct or will cause any other side-effect to
the Restlet 1.* OAuth extension.
BRs,
Yu
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2444857
