You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "Stein Welberg (JIRA)" <ji...@apache.org> on 2013/05/15 23:39:16 UTC
[jira] [Commented] (OLTU-12) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
[ https://issues.apache.org/jira/browse/OLTU-12?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13658854#comment-13658854 ]
Stein Welberg commented on OLTU-12:
-----------------------------------
Antonio, we could try to send Ben Noordhuis an Email to see whether he may have the patch laying around somewhere.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: OLTU-12
> URL: https://issues.apache.org/jira/browse/OLTU-12
> Project: Apache Oltu
> Issue Type: Bug
> Reporter: Ben Noordhuis
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira