When using this library you can use an OAuthValidator implementation, like SimpleOAuthValidator, to check the signature, timestamp, & nounce. An example of it being used can be found in the EchoServlet on line 52 "SampleOAuthProvider.VALIDATOR.validateMessage(requestMessage, accessor);" [1]. More specifically the SimpleOAuthValidator.validateSignature method checks the signature [2]. You can see the validation fail if you hit the servlet without the OAuth parameters/headers at /echo (ie http://localhost:8080/oauth-provider/echo). An HTTP 401 will be returned indicating you are unauthorized. Of course this is just an example, and you will likely need to change some things for a production environment. For example nounces are kept track of in memory which is probably not advisable.
Another example that you might take a look at, if you haven't already, is the OAuth Spring Security extension's example applications [3]. If you are not already familiar with Spring and Spring Security it may take some time to figure out what is going on though. PS: You probably already know this but better to be safe than sorry. I noticed the link you referenced points to version 1.0 of the specification. A security vulnerability has been fixed in the 1.0a version of the specification [4], so you will likely want to use that version. [1] http://www.google.com/codesearch/p?hl=en&sa=N&cd=2&ct=rc#CgbtcNIPOZo/code/branches/balfanz/body-signatures/java/example/oauth-provider/src/net/oauth/example/provider/servlets/EchoServlet.java&q=EchoServlet&exact_package=http://oauth.googlecode.com/svn&l=52 [2] http://www.google.com/codesearch/p?hl=en&sa=N&cd=6&ct=rc#CgbtcNIPOZo/code/branches/jmkristian-2009-04/java/core/commons/src/main/java/net/oauth/SimpleOAuthValidator.java&q=SimpleOauthValidator&exact_package=http://oauth.googlecode.com/svn&l=161 [3] http://spring-security-oauth.codehaus.org/tutorial.html [4] http://oauth.net/core/1.0a Regards, Rob On Tue, Oct 13, 2009 at 1:31 AM, Anuradha Thota <anuradha.th...@gmail.com>wrote: > > Yes I have seen this example.I do not see signature verification > process anywhere.According to http://oauth.net/core/1.0, the Service > Provider verifies the request by generating a new request signature > octet string, and comparing it to the signature provided by the > Consumer.Could you plesae provide help on this? > Iam sending authorization header from my consumer.What exactly has to > be done with this consumer auth header/signature at the service > provider side? > Thanks, > Anuradha > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
