You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2014/04/01 13:00:16 UTC

[jira] [Commented] (CXF-5569) OAuth AbstractAuthFilter and query parameters used for signing

    [ https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13956384#comment-13956384 ] 

Sergey Beryozkin commented on CXF-5569:
---------------------------------------

Jason, I've decided to keep the flag for now restricting it to the well known parameters. I guess you were right in mentioning CXF OAuth1 implementation was kind of caught in between conflicting requirements. 
However I'd like to avoid possibly working clients starting breaking by auto-enabling the support for all the parameters: there must've been a reason why I ended up adding this request wrapper blocking unrecognized parameters - that was either due to the client I was experimenting with did not calculate the signature correctly itself or because there were  some unexpected parameters 'leaking', I don't recall right now. I know a number of users are working with CXF OAuth1, it may work for them because  the client code does not use the query parameters or again, may be because the software they use does not take the query parameters into the signature calculation.
So, IMHO, it is safer to introduce a flag, and let users enable it if needed - it is an extra piece of work but hopefully not a major one :-)

> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
>                 Key: CXF-5569
>                 URL: https://issues.apache.org/jira/browse/CXF-5569
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.10
>            Reporter: Jason Klapste
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>             Fix For: 3.0.0-milestone2, 2.7.11
>
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are only those included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters should be considered for signature generation.
> To support both backwards compatibility, can I suggest exposing the ALLOWED_OAUTH_PARAMETERS to subclasses (either directly or via getter/setters) along with a flag that can be set to automatically include any and all parameters?



--
This message was sent by Atlassian JIRA
(v6.2#6252)