From: Corben <corben80_at_yahoo.it>
Date: Wed, 20 Jul 2011 10:29:20 +0100 (BST)

Dear all,

I have a problem in using the oAuth filter, while implementing an oAuth Service Provider.
My setup is: Tomcat 7, Jersey 1.8, development under Eclipse.


The resources that I expose are:
/services/... where I have 4 jersey REST WS that I want to protect with oAuth (defined and annotated in MyServlet)

/authorize providing a resource to authorize a request token

And of course I have the two WS exposed by the Jersey oAuth library:
/requestToken
/accessToken


Here is my web.xml file:
[code]

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
  <display-name>MyProjectPhrJersey</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>portal/index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
 
  <filter>
        <filter-name>Jersey Filter</filter-name>
        <filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
        <init-param>
            <param-name>com.sun.jersey.config.property.JSPTemplatesBasePath</param-name>
            <param-value>/WEB-INF</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.property.WebPageContentRegex</param-name>
            <param-value>.*\.css|.*\.png|.*\.jsp</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.feature.Redirect</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.property.packages</param-name>
            <param-value>com.mypackage, com.sun.jersey.oauth.server.api.resources</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
            <param-value>com.sun.jersey.oauth.server.api.OAuthServerFilter</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.property.oauth.provider</param-name>
             <param-value>com.mypackage.MyProvider</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.property.oauth.ignorePathPattern</param-name>
            <param-value>requestToken|authorize|accessToken</param-value>
        </init-param>       
    </filter>
    <filter-mapping>
        <filter-name>Jersey Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

  <servlet>
       <servlet-name>MyServlet</servlet-name>
       <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
       <init-param>
               <param-name>com.sun.jersey.config.property.packages</param-name>
               <param-value>com.mypackage.MyProvider</param-value>
       </init-param>
       <load-on-startup>1</load-on-startup>
   </servlet>
   <servlet-mapping>
       <servlet-name>MyServlet</servlet-name>
       <url-pattern>/*</url-pattern>
   </servlet-mapping>
</web-app>

[/code]

The problem is that with this web-xml, I can access requestToken, but also all the web services.
1) On "http://localhost:8080/MyProject/services/method1" is accessible

2) On "http://localhost:8080/MyProject/requestToken" Provides a request token


If I change the path of the web services in order to have web services and oAuth separated from my portal, like this:
[code]
    <filter-mapping>
        <filter-name>Jersey Filter</filter-name>
        <url-pattern>/oAuth/*</url-pattern>
    </filter-mapping>
    ...
    <servlet-mapping>
       <servlet-name>MyServlet</servlet-name>
       <url-pattern>/oAuth/*</url-pattern>
   </servlet-mapping>
[/code]

Then something odd happens:
1) On "http://localhost:8080/MyProject/services/method1" I get a "403 Forbidden" reply
2) On "http://localhost:8080/MyProject//oAuth/services/method1" I get a "404 Not found" reply

3) On "http://localhost:8080/MyProject/requestToken" I get a "404 Not found" reply

4) On "http://localhost:8080/MyProject/oAuth/requestToken" I get a "401 Unauthorized" reply

It seems to me that something strange happens with the ignorePattern, however as you can see it seems to be configured correctly.


Any hint on what I'm doing wrong?

It's been a couple of days now of back and forth tests with different configurations, without any satisfactory result...


My goal is to be able to access requestToken, authorize, and accessToken without any oAuth signature, but block ONLY the resources under /services

Thanks!
Corben