Dang I totally flaked on that one. Sorry. :) Thank you for the link..
So SigningFetcher is making sure that a makeRequest doesn't try to pass
in any special oauth/opensocial parameters:
return (!(canonParamName.startsWith("oauth") ||
canonParamName.startsWith("xoauth") ||
canonParamName.startsWith("opensocial")) &&
But then it goes extra anal and doesn't allow any parameters that it
doesn't like:
ALLOWED_PARAM_NAME.matcher(canonParamName).matches());
where:
protected static final Pattern ALLOWED_PARAM_NAME =
Pattern.compile("[\\w_\\-]+");
Is there any real reason to restrict the parameter names beyond
oauth/opensocial? Should I just submit the patch to remove the
ALLOWE_PARAM_NAME checking all together?
Brian Eaton wrote:
I would look at it, but where is this "SigningFetcher" you speak of? :)
It's in Shindig, not java OAuth.
http://svn.apache.org/repos/asf/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/SigningFetcher.java
So you're saying that it should behave like Java OAuth? Why don't you use Java
OAuth in the first place?
We do. Signed fetch is a concept invented for opensocial, built on
top of the OAuth signature specification. SigningFetcher adds
opensocial specific stuff on top of the base OAuth java libs.
Cheers,
Brian
