[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined

["sndyuk (Updated) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

sndyuk updated AMBER-15:
------------------------

    Attachment: amber15.patch

patches for the issue.
                
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBER-15
>                 URL: https://issues.apache.org/jira/browse/AMBER-15
>             Project: Amber
>          Issue Type: Bug
>          Components: Server
>            Reporter: Ben Noordhuis
>            Assignee: Antonio Sanso
>         Attachments: amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira