[
https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13955371#comment-13955371
]
Sergey Beryozkin commented on CXF-5569:
---------------------------------------
As I said earlier, ALLOWED_OAUTH_PARAMETERS do not interfere in the signature
validation process, unless the server side filters sitting in front of the move
the form parameters into the servlet parameter maps.
You keep saying that CXF does not work right in this case: please provide the
test case if you do believe it is the case.
> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
> Key: CXF-5569
> URL: https://issues.apache.org/jira/browse/CXF-5569
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.10
> Reporter: Jason Klapste
> Assignee: Sergey Beryozkin
> Priority: Minor
> Fix For: 3.0.0-milestone2, 2.7.11
>
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are
> only those included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters
> should be considered for signature generation.
> To support both backwards compatibility, can I suggest exposing the
> ALLOWED_OAUTH_PARAMETERS to subclasses (either directly or via
> getter/setters) along with a flag that can be set to automatically include
> any and all parameters?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
