[oauth] Re: new to oauth

2009-10-13 Thread Anuradha Thota 

Yes I have seen this example.I do not see signature verification
process anywhere.According to http://oauth.net/core/1.0, the Service
Provider verifies the request by generating a new request signature
octet string, and comparing it to the signature provided by the
Consumer.Could you plesae provide help on this?
Iam sending authorization header from my consumer.What exactly has to
be done with this consumer auth header/signature at the service
provider side?
Thanks,
Anuradha
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---

[oauth] Re: new to oauth

2009-10-13 Thread John Kristian 

OAuthAccessor.accessToken should be initialized to null, not  (to
indicate that the consumer has not yet obtained a valid access token).

The example oauth-provider validates requests like this:

  SampleOAuthProvider.VALIDATOR.validateMessage(requestMessage,
accessor);

It calls SimpleOAuthValidator.validateSignature, which calls
OAuthSignatureMethod.validate, which should call HMAC_SHA1.isValid.

On Oct 12, 11:31 pm, Anuradha Thota anuradha.th...@gmail.com wrote:
 Yes I have seen this example. I do not see signature verification
 process anywhere.According to http://oauth.net/core/1.0, the Service
 Provider verifies the request by generating a new request signature
 octet string, and comparing it to the signature provided by the
 Consumer. Could you plesae provide help on this?

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---

[oauth] Re: new to oauth

2009-10-13 Thread Robert Winch 
When using this library you can use an OAuthValidator implementation, like
SimpleOAuthValidator, to check the signature, timestamp,  nounce. An
example of it being used can be found in the EchoServlet on line 52
SampleOAuthProvider.VALIDATOR.validateMessage(requestMessage, accessor);
[1]. More specifically the SimpleOAuthValidator.validateSignature method
checks the signature [2]. You can see the validation fail if you hit the
servlet without the OAuth parameters/headers at /echo (ie
http://localhost:8080/oauth-provider/echo). An HTTP 401 will be returned
indicating you are unauthorized. Of course this is just an example, and you
will likely need to change some things for a production environment. For
example nounces are kept track of in memory which is probably not advisable.

Another example that you might take a look at, if you haven't already, is
the OAuth Spring Security extension's example applications [3]. If you are
not already familiar with Spring and Spring Security it may take some time
to figure out what is going on though.

PS: You probably already know this but better to be safe than sorry. I
noticed the link you referenced points to version 1.0 of the specification.
A security vulnerability has been fixed in the 1.0a version of the
specification [4], so you will likely want to use that version.

[1]
http://www.google.com/codesearch/p?hl=ensa=Ncd=2ct=rc#CgbtcNIPOZo/code/branches/balfanz/body-signatures/java/example/oauth-provider/src/net/oauth/example/provider/servlets/EchoServlet.javaq=EchoServletexact_package=http://oauth.googlecode.com/svnl=52

[2]
http://www.google.com/codesearch/p?hl=ensa=Ncd=6ct=rc#CgbtcNIPOZo/code/branches/jmkristian-2009-04/java/core/commons/src/main/java/net/oauth/SimpleOAuthValidator.javaq=SimpleOauthValidatorexact_package=http://oauth.googlecode.com/svnl=161

[3] http://spring-security-oauth.codehaus.org/tutorial.html

[4] http://oauth.net/core/1.0a

Regards,
Rob


On Tue, Oct 13, 2009 at 1:31 AM, Anuradha Thota anuradha.th...@gmail.comwrote:


 Yes I have seen this example.I do not see signature verification
 process anywhere.According to http://oauth.net/core/1.0, the Service
 Provider verifies the request by generating a new request signature
 octet string, and comparing it to the signature provided by the
 Consumer.Could you plesae provide help on this?
 Iam sending authorization header from my consumer.What exactly has to
 be done with this consumer auth header/signature at the service
 provider side?
 Thanks,
 Anuradha
 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---