You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by li...@apache.org on 2010/05/04 21:45:28 UTC
svn commit: r941010 - in /shindig/trunk/java: common/conf/
gadgets/src/main/java/org/apache/shindig/gadgets/oauth/
gadgets/src/test/java/org/apache/shindig/gadgets/oauth/
server/src/main/webapp/WEB-INF/
social-api/src/main/java/org/apache/shindig/socia...
Author: lindner
Date: Tue May 4 19:45:28 2010
New Revision: 941010
URL: http://svn.apache.org/viewvc?rev=941010&view=rev
Log:
remove non 1.0a functionality
Modified:
shindig/trunk/java/common/conf/shindig.properties
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java
shindig/trunk/java/server/src/main/webapp/WEB-INF/authorize.jsp
shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleOAuthServlet.java
Modified: shindig/trunk/java/common/conf/shindig.properties
URL: http://svn.apache.org/viewvc/shindig/trunk/java/common/conf/shindig.properties?rev=941010&r1=941009&r2=941010&view=diff
==============================================================================
--- shindig/trunk/java/common/conf/shindig.properties (original)
+++ shindig/trunk/java/common/conf/shindig.properties Tue May 4 19:45:28 2010
@@ -29,8 +29,6 @@ shindig.blacklist.file=
shindig.oauth.base-url=/oauth/
shindig.oauth.authorize-action=/WEB-INF/authorize.jsp
shindig.oauth.legacy-body-signing=true
-shindig.oauth.enable-oauth-1.0=true
-shindig.oauth.enable-signed-callbacks=true
### Outbound OAuth support
shindig.signing.state-key=
Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java?rev=941010&r1=941009&r2=941010&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java (original)
+++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java Tue May 4 19:45:28 2010
@@ -81,18 +81,15 @@ import org.apache.shindig.gadgets.servle
*/
public class GadgetOAuthCallbackGenerator implements OAuthCallbackGenerator {
- private final boolean enableSignedCallbacks;
private final Processor processor;
private final LockedDomainService lockedDomainService;
private final UrlGenerator urlGenerator;
private final BlobCrypter stateCrypter;
@Inject
- public GadgetOAuthCallbackGenerator(@Named("shindig.signing.enable-signed-callbacks")
- boolean enableSignedCallbacks, Processor processor, LockedDomainService lockedDomainService,
+ public GadgetOAuthCallbackGenerator(Processor processor, LockedDomainService lockedDomainService,
UrlGenerator urlGenerator, @Named(OAuthFetcherConfig.OAUTH_STATE_CRYPTER)
BlobCrypter stateCrypter) {
- this.enableSignedCallbacks = enableSignedCallbacks;
this.processor = processor;
this.lockedDomainService = lockedDomainService;
this.urlGenerator = urlGenerator;
@@ -101,9 +98,6 @@ public class GadgetOAuthCallbackGenerato
public String generateCallback(OAuthFetcherConfig fetcherConfig, String baseCallback,
HttpRequest request, OAuthResponseParams responseParams) throws OAuthRequestException {
- if (!enableSignedCallbacks) {
- return null;
- }
Uri activeUrl = checkGadgetCanRender(request.getSecurityToken(),
request.getOAuthArguments(), responseParams);
String gadgetDomainCallback = getGadgetDomainCallback(request.getSecurityToken(), activeUrl);
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java?rev=941010&r1=941009&r2=941010&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java Tue May 4 19:45:28 2010
@@ -74,18 +74,11 @@ public class GadgetOAuthCallbackGenerato
}
private GadgetOAuthCallbackGenerator getGenerator() {
- return new GadgetOAuthCallbackGenerator(true, processor, lockedDomainService, urlGenerator,
+ return new GadgetOAuthCallbackGenerator(processor, lockedDomainService, urlGenerator,
stateCrypter);
}
@Test
- public void testDisabled() throws Exception {
- GadgetOAuthCallbackGenerator generator = new GadgetOAuthCallbackGenerator(false, null, null,
- null, null);
- assertNull(generator.generateCallback(null, null, null, null));
- }
-
- @Test
public void testWrongDomain() throws Exception {
HttpRequest request = new HttpRequest(DEST_URL);
request.setSecurityToken(securityToken);
Modified: shindig/trunk/java/server/src/main/webapp/WEB-INF/authorize.jsp
URL: http://svn.apache.org/viewvc/shindig/trunk/java/server/src/main/webapp/WEB-INF/authorize.jsp?rev=941010&r1=941009&r2=941010&view=diff
==============================================================================
--- shindig/trunk/java/server/src/main/webapp/WEB-INF/authorize.jsp (original)
+++ shindig/trunk/java/server/src/main/webapp/WEB-INF/authorize.jsp Tue May 4 19:45:28 2010
@@ -71,17 +71,9 @@ The following application wants to acces
<img src="${appThumbnail}" align="left" width="120" height="60"/>
<c:out value="${appDesc}" default=""/>
<br/>
-<c:if test="${SECURITY_THREAT_2009_1}">
- <font color="red"><b>POSSIBLE SECURITY RISK</b> -
- Deny this request unless you directly initiated it from the Official
- <i><c:out value="${appTitle}"/></i> web site
- </font>
-</c:if>
<form name="authZForm" action="authorize" method="POST">
<input type="hidden" name="oauth_token" value="<%= token %>"/>
- <input type="hidden" name="oauth_callback" value="<%=
- (callback != null ? URLEncoder.encode(callback, "UTF-8") : "") %>"/>
<input type="submit" name="Authorize" value="Deny"/>
<input type="submit" name="Authorize" value="Authorize"/>
</form>
Modified: shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleOAuthServlet.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleOAuthServlet.java?rev=941010&r1=941009&r2=941010&view=diff
==============================================================================
--- shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleOAuthServlet.java (original)
+++ shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleOAuthServlet.java Tue May 4 19:45:28 2010
@@ -60,15 +60,6 @@ public class SampleOAuthServlet extends
@Inject void setAuthorizeAction(@Named("shindig.oauth.authorize-action") String authorizeAction) {
this.oauthAuthorizeAction = authorizeAction;
}
-
- @Inject void setSupportOAuth10(@Named("shindig.oauth.enable-oauth-1.0") boolean enableOAuth10) {
- this.enableOAuth10 = enableOAuth10;
- }
-
- @Inject void setSupportSignedCallbacks(@Named("shindig.oauth.enable-signed-callbacks")
- boolean enableSignedCallbacks) {
- this.enableSignedCallbacks = enableSignedCallbacks;
- }
@Override
protected void doPost(HttpServletRequest servletRequest,
@@ -120,16 +111,16 @@ public class SampleOAuthServlet extends
OAuthAccessor accessor = new OAuthAccessor(consumer);
VALIDATOR.validateMessage(requestMessage, accessor);
- String callback = null;
- if (enableSignedCallbacks) {
- callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK);
+ String callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK);
+
+ if (callback == null) {
+ // see if the consumer has a callback
+ callback = consumer.callbackURL;
}
- if (callback == null && !enableOAuth10) {
- OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT);
- e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CALLBACK);
- throw e;
+ if (callback == null) {
+ callback = "oob";
}
-
+
// generate request_token and secret
OAuthEntry entry = dataStore.generateRequestToken(consumerKey,
requestMessage.getParameter(OAuth.OAUTH_VERSION), callback);
@@ -169,22 +160,6 @@ public class SampleOAuthServlet extends
servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "consumer for entry not found");
return;
}
-
- // A flag to deal with protocol flaws in OAuth/1.0
- Boolean securityThreat_2009_1 = !entry.callbackUrlSigned;
-
- // Check for a callback in the oauth entry
- String callback = entry.callbackUrl;
-
- if (callback == null) {
- // see if there's a callback in the url params
- callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK);
- }
-
- if (callback == null) {
- // see if the consumer has a callback
- callback = consumer.callbackURL;
- }
// The token is disabled if you try to convert to an access token prior to authorization
if (entry.type == OAuthEntry.Type.DISABLED) {
@@ -192,6 +167,8 @@ public class SampleOAuthServlet extends
return;
}
+ String callback = entry.callbackUrl;
+
// Redirect to a UI flow if the token is not authorized
if (!entry.authorized) {
// TBD -- need to decode encrypted payload somehow..
@@ -208,8 +185,7 @@ public class SampleOAuthServlet extends
servletRequest.setAttribute("TOKEN", entry.token);
servletRequest.setAttribute("CONSUMER", consumer);
- servletRequest.setAttribute("SECURITY_THREAT_2009_1", securityThreat_2009_1);
-
+
servletRequest.getRequestDispatcher(oauthAuthorizeAction).forward(servletRequest,servletResponse);
}
return;