I have a problem that has been plaguing me for several days now and was hoping someone had run across it before.
I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer that's a standalone Java application making requests to the provider. The OAuth 1.0 Authorization headers on the client are being generated by OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod, uri); So far so good. Everything works fine so long as there are no query parameters on the URL. So if the request URL is "http://foo.com/api/83382"; then all is well. If the request URL is "http://foo.com/api/83382?scope=all"; the signature validation on the provider fails. After tracing through SimpleOAuthValidator.validateSignature(..) I found that the Authorization signature on the client is using the full URL with query parameters to generate the signature, but when SimpleOAuthValidator generates the base string for signature validation, the query parameters are not used (only the URI). I was able to get the SimpleOAuthValidator to validate the signature created by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the "original" URI. But to do this I had to do some voodoo to get HttpServletRequest.getRequestURL() and append the httpServletRequest.getQueryString() to it. With this hack, the signature created by OAuthClientUtils will now be validated by SimpleOAuthValidator. Obviously, that can't possibly be "normal", right? To make matters worse, I've had no luck whatsoever in getting a generic REST client (e.g. REST Console for Chrome) to successfully authorize a request against the provider. It fails with a oauth_problem: signature_invalid every single time. I'm using CXF 2.6.11 (but have used 2.7.8 with similar results). Any help would be sincerely appreciated! Thanks, --Ian -- View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357.html Sent from the cxf-user mailing list archive at Nabble.com.
