users@jersey.java.net

[Jersey] UnsupportedSingatureMethodException using OAuth in ContainerFilter

From: Matthias Broecheler <me_at_matthiasb.com>
Date: Sun, 17 Jul 2011 23:30:48 -0400

Hello,

I am trying to build a RESTful API in Jersey and would like to authenticate
requests using OAuth via Jersey's OAuth libraries. I am using the server and
signature libraries on the server (Glassfish) and the client library to
test.
I get an UnsupportedSignatureMethodException on the server when
OAuthSignature.verify is called irrespective of what signature method I
specify on the client (tried specifying none, HMAC_SHA1, Plain text).

Here is the client call:
        OAuthParameters params = new
OAuthParameters().consumerKey("consumer1").token("token1").
signatureMethod(com.sun.jersey.oauth.signature.HMAC_SHA1.NAME
).timestamp().nonce().version();


        // OAuth secrets to access resource
        OAuthSecrets secrets = new
OAuthSecrets().consumerSecret("consumerSec").tokenSecret("tokenSec");

        // if parameters and secrets remain static, filter can be added to
each web resource
        OAuthClientFilter filter = new
OAuthClientFilter(client.getProviders(), params, secrets);

        // OAuth test server resource
        WebResource resource = getResource("get/");

        // filter added at the web resource level
        resource.addFilter(filter);

        // make the request (signing it in the process)
        String response = resource.get(String.class);
        System.out.println(response);

This is pretty much taken verbatim from the tutorial:
http://wikis.sun.com/display/Jersey/OAuth

Similarly for the server:
        // Read the OAuth parameters from the request
        OAuthServerRequest oauthreq = new OAuthServerRequest(request);
        OAuthParameters params = new OAuthParameters();
        params.readRequest(oauthreq);
        log.info("Consumer: " + params.getConsumerKey());
        log.info("Token: " + params.getToken());


        // Set the secret(s), against which we will verify the request
        OAuthSecrets secrets = new OAuthSecrets();
        secrets.consumerSecret("consumerSec");
        secrets.tokenSecret("tokenSec");

        // Check that the timestamp has not expired
        String timestampStr = params.getTimestamp();
        // ... timestamp checking code ...
        // Verify the signature
        try {
            if(!OAuthSignature.verify(oauthreq, params, secrets)) {
                log.info("Unauthorized access");
                throw new WebApplicationException(401);
            }
        } catch (OAuthSignatureException e) {
            log.error(e);
            throw new WebApplicationException(e, 401);
        }

Now, those logging statements produce the right output, but I have no idea
why it does not support its own signature.

I greatly appreciate any help or pointers.
Thanks,
Matthias 


-- 
Matthias Broecheler
http://www.matthiasb.com
E-Mail: me_at_matthiasb.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.