[jira] [Commented] (CXF-5569) OAuth AbstractAuthFilter and query parameters used for signing

Tue, 01 Apr 2014 04:01:05 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13956384#comment-13956384
 ] 

Sergey Beryozkin commented on CXF-5569:
---------------------------------------

Jason, I've decided to keep the flag for now restricting it to the well known 
parameters. I guess you were right in mentioning CXF OAuth1 implementation was 
kind of caught in between conflicting requirements. 
However I'd like to avoid possibly working clients starting breaking by 
auto-enabling the support for all the parameters: there must've been a reason 
why I ended up adding this request wrapper blocking unrecognized parameters - 
that was either due to the client I was experimenting with did not calculate 
the signature correctly itself or because there were  some unexpected 
parameters 'leaking', I don't recall right now. I know a number of users are 
working with CXF OAuth1, it may work for them because  the client code does not 
use the query parameters or again, may be because the software they use does 
not take the query parameters into the signature calculation.
So, IMHO, it is safer to introduce a flag, and let users enable it if needed - 
it is an extra piece of work but hopefully not a major one :-)

> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
>                 Key: CXF-5569
>                 URL: https://issues.apache.org/jira/browse/CXF-5569
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.10
>            Reporter: Jason Klapste
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>             Fix For: 3.0.0-milestone2, 2.7.11
>
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are 
> only those included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters 
> should be considered for signature generation.
> To support both backwards compatibility, can I suggest exposing the 
> ALLOWED_OAUTH_PARAMETERS to subclasses (either directly or via 
> getter/setters) along with a flag that can be set to automatically include 
> any and all parameters?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to