On Aug 27, 2009, at 4:05 PM, Grover Blue wrote:
> I'm looking forward to do something with this, soon. Just too busy
> right now. Can OAuth be use to sit on top of an existing WS for
> authentication? I'm not very familiar with it.
>
You can use it for simple authentication but it also supports
delegated authorization where you can give a client access to a
service without revealing your credentials to the client. E.g. I could
have facebook add photos to my flickr account without giving facebook
my flickr username and password.
Marc.
> On Thu, Aug 27, 2009 at 3:48 PM, DirkM <dirk_at_olx.com> wrote:
>
>
> Paul Sandoz wrote:
> >
> > You should be able to use a container request filter or a resource
> >
>
> I'm very impressed with the way every time I think of a new use-case
> Jersey
> has a well thought-out way to handle it. I think it would be helpful
> to add
> a link from the wiki page about OAuth to the container filter package
> description you cited above.
>
>
> Here's the class I wrote for simple OAuth authentication.
>
> Notes:
> 1. AuthenticationFailedException is a class I wrote. I have an
> ExceptionMapper to turn it into an HTTP 401. I need to do it this way
> because of how our architecture is set up, but anyone copying this
> code
> could simply throw a WebApplicationException.
>
> 2. Checking for the existence of each parameter is not really
> necessary, I
> just did it to be able to give a nicer error message to the user.
>
> 3. In order to get this to work with Guice, I couldn't use an <init-
> param>
> in the web.xml (as for some reason it doesn't get picked up).
> Instead I did
> this:
> HashMap<String, String> params = new HashMap<String,
> String>();
>
> params.put("com.sun.jersey.spi.container.ContainerRequestFilters",
> "com.olx.iphone.auth.AuthenticationFilter");
> serve("/*").with(GuiceContainer.class, params);
>
> 4. Please don't use my password to break into my bank account
>
>
> public class AuthenticationFilter implements ContainerRequestFilter {
> private final static int TIMESTAMP_EXPIRY_SECONDS = 60;
>
>
> @Override
> public ContainerRequest filter(ContainerRequest containerRequest) {
> // Read the OAuth parameters from the request
> OAuthServerRequest request = new
> OAuthServerRequest(containerRequest);
> OAuthParameters params = new OAuthParameters();
> params.readRequest(request);
>
> // Check the required OAuth parameters have been provided
> checkForParameter(OAuthParameters.SIGNATURE_METHOD,
> params.getSignatureMethod());
> checkForParameter(OAuthParameters.SIGNATURE,
> params.getSignature());
> checkForParameter(OAuthParameters.TOKEN, params.getToken());
> checkForParameter(OAuthParameters.NONCE, params.getNonce());
> checkForParameter(OAuthParameters.TIMESTAMP,
> params.getTimestamp());
> checkForParameter(OAuthParameters.VERSION,
> params.getVersion());
>
> // Set the token secret, against which we will verify the
> request
> OAuthSecrets secrets = new OAuthSecrets();
> String tokenSecret = "tokensecret";
> secrets.setTokenSecret(tokenSecret);
>
> // Check that the timestamp has not expired
> String timestampStr = params.getTimestamp();
> try {
> long timestampSeconds = Long.valueOf(timestampStr);
> long timestampMillis = timestampSeconds * 1000;
> long currentTimeMillis = System.currentTimeMillis();
> long currentTimeSeconds = currentTimeMillis / 1000;
> if(timestampSeconds > currentTimeSeconds) {
> String msg = "Timestamp is in the future!\n" +
> "Timestamp " + timestampStr + " (" + (new
> Date(timestampMillis)) + ") " +
> "is later than the current time (" + (new
> Date(currentTimeMillis)) + ")";
> throwException(msg);
> }
> if(timestampSeconds < currentTimeSeconds -
> TIMESTAMP_EXPIRY_SECONDS) {
> String msg = "Timestamp expired\n" +
> "Timestamp " + timestampStr + " (" + (new
> Date(timestampMillis)) + ") " +
> "is more than " +
> TIMESTAMP_EXPIRY_SECONDS + "
> " +
> "seconds before the current time (" + (new
> Date(currentTimeMillis)) + ")";
> throwException(msg);
> }
> } catch (NumberFormatException e) {
> throwException("Could not parse oAuth timestamp '" +
> timestampStr + "'");
> }
>
> // Verify the signature
> try {
> if(!OAuthSignature.verify(request, params, secrets)) {
> throwException("Signature failed verification");
> }
> } catch (OAuthSignatureException e) {
> throw new AuthenticationFailedException(e);
> }
>
> return containerRequest;
> }
>
> private void checkForParameter(String paramName, String
> paramValue) {
> if(paramValue == null || paramValue.isEmpty()) {
> throwException("Missing or empty parameter '" + paramName +
> "'");
> }
> }
>
> private void throwException(String msg) {
> String exceptionMsg = "OAuth authentication failure: " + msg;
> throw new AuthenticationFailedException(exceptionMsg);
> }
> }
>
> --
> View this message in context: http://n2.nabble.com/oAuth-HMAC-SHA1-implementation-bug-tp3506009p3529549.html
> Sent from the Jersey mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>
>
>
> --
> “If the American people ever allow private banks to control the
> issue of their currency, first by inflation, then by deflation, the
> banks...will deprive the people of all property until their children
> wake-up homeless on the continent their fathers conquered... The
> issuing power should be taken from the banks and restored to the
> people, to whom it properly belongs." -- Thomas Jefferson
>
> "Government big enough to supply everything...is big enough to take
> everything you have. The course of history shows that as a
> government grows, liberty decreases" --- Thomas Jefferson
>
> www.CampaignForLiberty.org