users@jersey.java.net

Re: [Jersey] oAuth HMAC_SHA1 implementation bug

From: Paul C. Bryan <pbryan_at_sun.com>
Date: Mon, 24 Aug 2009 14:51:14 -0700

Hi Dirk:

Good catch, thanks. I've checked-in a fix to the trunk.

Paul

On Mon, 2009-08-24 at 15:50 -0500, DirkM wrote:
> I believe there's a bug in the implementation of HMAC_SHA1 in the Jersey
> oauth-signature library.
> According to the spec, the consumer and token secrets should be percent
> encoded before being concatenated together:
> http://oauth.net/core/1.0a#anchor15
>
> The code doesn't do this, so any secret with an unusual character in it (or
> a space) will fail authentication.
> Dirk