Hi Paul,
The issue goes further - any query parameters added to a request also need
to be encoded properly first.
The current implementation uses the standard Java URLEncoder.encode() method
for query parameter names and values, which is not quite the same as the
OAuth requirement for encoding these (for example, OAuth requires SPACE to
be encoded as %20 rather than +).
I've raised a bugtracker issue and attached a potential patch:
https://jersey.dev.java.net/issues/show_bug.cgi?id=433
Cheers,
- Micha.
Paul C. Bryan wrote:
>
> Hi Dirk:
>
> Good catch, thanks. I've checked-in a fix to the trunk.
>
> Paul
>
> On Mon, 2009-08-24 at 15:50 -0500, DirkM wrote:
>> I believe there's a bug in the implementation of HMAC_SHA1 in the Jersey
>> oauth-signature library.
>> According to the spec, the consumer and token secrets should be percent
>> encoded before being concatenated together:
>> http://oauth.net/core/1.0a#anchor15
>>
>> The code doesn't do this, so any secret with an unusual character in it
>> (or
>> a space) will fail authentication.
>> Dirk
>
>
--
View this message in context: http://n2.nabble.com/oAuth-HMAC-SHA1-implementation-bug-tp3506009p4105901.html
Sent from the Jersey mailing list archive at Nabble.com.