On May 9, 2012, at 4:50 PM, Raymond Feng wrote: > I don't see any issues as I use both query and header style.
at the same time? Antonio > > Raymond Feng > Sent from my iPhone > > On May 9, 2012, at 7:23 AM, Antonio Sanso <[email protected]> wrote: > >> Hi Raymond >> >> On May 2, 2012, at 5:23 PM, Raymond Feng wrote: >> >>> Hi, >>> >>> It's probably in the same area but not the same. My fix solves the issue >>> that the validator/extractor accidentally destructs the HTTP POST/PUT >>> payload when the Content-Type is application/x-www-form-urlencoded as the >>> HttpServletRequest's parameter related methods try to decode the parameters >>> from the body. >>> >>> For AMBER-15, there are two things to consider: >>> >>> 1) We need to make sure the list of parameter style validators/extractors >>> don't interfere with each other >>> 2) We also want to make sure that only one access token is used. >> >> so what you would do if more than style is used at the same time? At the >> moment an exception is thrown if I do not get wrong. >> >> Regards >> >> Antonio >> >> >>> >>> The current seems to be fine even though we try to construct the exception >>> instances. I tested Query/Header styles but not the body one. >>> >>> Do we have a test case showing the problem? >>> >>> Thanks, >>> Raymond >>> >>> On May 2, 2012, at 8:12 AM, Antonio Sanso wrote: >>> >>>> Good stuff Raymond. >>>> >>>> Does this fix/is related to AMBER-15? >>>> >>>> Thanks >>>> >>>> Antonio >>>> >>>> On May 1, 2012, at 5:34 AM, <[email protected]> <[email protected]> wrote: >>>> >>>>> Author: rfeng >>>>> Date: Tue May 1 03:34:41 2012 >>>>> New Revision: 1332515 >>>>> >>>>> URL: http://svn.apache.org/viewvc?rev=1332515&view=rev >>>>> Log: >>>>> Fix the code to not mess up with HTTP POST body >>>>> >>>>> Modified: >>>>> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >>>>> >>>>> Modified: >>>>> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >>>>> URL: >>>>> http://svn.apache.org/viewvc/incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java?rev=1332515&r1=1332514&r2=1332515&view=diff >>>>> ============================================================================== >>>>> --- >>>>> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >>>>> (original) >>>>> +++ >>>>> incubator/amber/trunk/oauth-2.0/oauth2-resourceserver/src/main/java/org/apache/amber/oauth2/rs/extractor/BearerQueryTokenExtractor.java >>>>> Tue May 1 03:34:41 2012 >>>>> @@ -21,6 +21,9 @@ >>>>> >>>>> package org.apache.amber.oauth2.rs.extractor; >>>>> >>>>> +import java.io.UnsupportedEncodingException; >>>>> +import java.net.URLDecoder; >>>>> + >>>>> import javax.servlet.http.HttpServletRequest; >>>>> >>>>> import org.apache.amber.oauth2.common.OAuth; >>>>> @@ -34,16 +37,48 @@ public class BearerQueryTokenExtractor i >>>>> >>>>> @Override >>>>> public String getAccessToken(HttpServletRequest request) { >>>>> - String token = request.getParameter(OAuth.OAUTH_BEARER_TOKEN); >>>>> + String token = getQueryParameter(request, >>>>> OAuth.OAUTH_BEARER_TOKEN); >>>>> if (token == null) { >>>>> - token = request.getParameter(OAuth.OAUTH_TOKEN); >>>>> + token = getQueryParameter(request, OAuth.OAUTH_TOKEN); >>>>> } >>>>> return token; >>>>> } >>>>> >>>>> @Override >>>>> public String getAccessToken(HttpServletRequest request, String >>>>> tokenName) { >>>>> - return request.getParameter(tokenName); >>>>> + return getQueryParameter(request, tokenName); >>>>> + } >>>>> + >>>>> + /** >>>>> + * A replacement for HttpServletRequest.getParameter() as it will >>>>> mess up with HTTP POST body >>>>> + * @param request >>>>> + * @param name >>>>> + * @return >>>>> + */ >>>>> + private String getQueryParameter(HttpServletRequest request, String >>>>> name) { >>>>> + String query = request.getQueryString(); >>>>> + if (query == null) { >>>>> + return null; >>>>> + } >>>>> + String[] params = query.split("&"); >>>>> + for (String param : params) { >>>>> + try { >>>>> + param = URLDecoder.decode(param, "UTF-8"); >>>>> + } catch (UnsupportedEncodingException e) { >>>>> + // Ignore >>>>> + } >>>>> + int index = param.indexOf('='); >>>>> + String key = param; >>>>> + String value = null; >>>>> + if (index != -1) { >>>>> + key = param.substring(0, index); >>>>> + value = param.substring(index + 1); >>>>> + } >>>>> + if (key.equals(name)) { >>>>> + return value; >>>>> + } >>>>> + } >>>>> + return null; >>>>> } >>>>> >>>>> } >>>>> >>>>> >>>> >>> >>
