users@jersey.java.net

[Jersey] Re: Signature error with 2-legged oauth on POST

From: Martin Matula <martin.matula_at_oracle.com>
Date: Wed, 01 Jun 2011 15:41:28 +0200

That's weird. I believe the form data should not be part of the
signature. This looks like a bug in Jersey.
Martin

On 30.5.2011 20:40, J-F Lamaire wrote:
> I have actually figure out what the problem is and the solution. What I was doing was creating the Client, populating the form data in a MultivaluedMap and then posting the WebResource like this:
>
> WebResource.post(ClientResponse.class, formData);
>
> What I eventually figured out is that the form data was not included in the base string for the signature. The signature was calculated using the URL and oauth parameters but not the form data parameters. On the server all of the parameters were included in the base string so the signatures did not match.
>
> Changing the post to this:
>
> WebResource.queryParams(formData).post(ClientResponse.class);
>
> Resolves the problem, signature sent by the client matches the signature calculated on the server. As I'm very new to Jersey I don't know if that is expected behavior. If that is not the expected behavior and you would like me to create an issue please let me know and I will. For now I will assume this is the expected behavior and chalk it up as a misunderstanding on my part.
>
>
> --- On Sun, 5/29/11, Martin Matula<martin.matula_at_oracle.com> wrote:
>
>> From: Martin Matula<martin.matula_at_oracle.com>
>> Subject: [Jersey] Re: Signature error with 2-legged oauth on POST
>> To: users_at_jersey.java.net
>> Received: Sunday, May 29, 2011, 8:42 PM
>> Hi,
>> Could you please file an issue and let me know how to
>> reproduce it? (what kind of post you are trying to send and
>> how the oauth parameters look like)
>> In case you want to try to debug it yourself, you can try
>> adding some logging (or breakpoints) to HMAC_SHA1.java (in
>> oauth-signature module) - in the "sign()" method (lines 76+)
>> - elements is the string to be signed.
>> Martin
>>
>> On 27.5.2011 20:03, fff907_at_yahoo.ca
>> wrote:
>>> I am using the Jersey oauth libraries for an
>> implementation of 2-legged
>>> oauth. However, I am having problems
>> with signatures on messages that
>>> I are POSTed. I have not had any errors with GET
>> methods but I cannot
>>> seem to find a way for a POST to generate a correct
>> signature.
>>> I have written two tools, one in PHP and one Python to
>> check the
>>> signature and both of the tools generate a signature
>> that matches what
>>> the server (PHP) generates on the server side to
>> compare. I have not
>>> been able to figure what is happening in the Jersey
>> oauth code to
>>> generate the signature but the signature does not
>> match any other tool
>>> I have used. I did see a bug report:
>>> http://java.net/jira/browse/JERSEY-433
>>>
>>> which looks suspiciously like my problem so I created
>> a POST that does
>>> not have any characters that need extra encoding but
>> still have the
>>> same problem so I don't believe that ticket address my
>> problem but it
>>> does sound related. Being new to Jersey I am not
>> sure how to log what
>>> is happening in detail when the signature is being
>> built, I would
>>> really like to see what the base string that it
>> generates. Is there a
>>> way to log that?