users@jersey.java.net

Re: [Jersey] oAuth HMAC_SHA1 implementation bug

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Thu, 03 Dec 2009 14:32:57 +0100

Hi,

I forwarded the issue to Hubert and Paul B. and we had a little
discusson. We need to use UriComponent to encode stuff.

Thanks for logging the issue,
Paul.

On Dec 3, 2009, at 2:06 PM, Micha Werle wrote:

>
> Hi Paul,
>
> The issue goes further - any query parameters added to a request
> also need
> to be encoded properly first.
>
> The current implementation uses the standard Java
> URLEncoder.encode() method
> for query parameter names and values, which is not quite the same as
> the
> OAuth requirement for encoding these (for example, OAuth requires
> SPACE to
> be encoded as %20 rather than +).
>
> I've raised a bugtracker issue and attached a potential patch:
> https://jersey.dev.java.net/issues/show_bug.cgi?id=433
>
> Cheers,
> - Micha.
>
>
> Paul C. Bryan wrote:
>>
>> Hi Dirk:
>>
>> Good catch, thanks. I've checked-in a fix to the trunk.
>>
>> Paul
>>
>> On Mon, 2009-08-24 at 15:50 -0500, DirkM wrote:
>>> I believe there's a bug in the implementation of HMAC_SHA1 in the
>>> Jersey
>>> oauth-signature library.
>>> According to the spec, the consumer and token secrets should be
>>> percent
>>> encoded before being concatenated together:
>>> http://oauth.net/core/1.0a#anchor15
>>>
>>> The code doesn't do this, so any secret with an unusual character
>>> in it
>>> (or
>>> a space) will fail authentication.
>>> Dirk
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/oAuth-HMAC-SHA1-implementation-bug-tp3506009p4105901.html
> Sent from the Jersey mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>