use of org.apache.shindig.common.uri.UriBuilder in project liferay-ide by liferay.
the class OAuthRequest method sanitizeAndSign.
/**
* Start with an HttpRequest.
* Throw if there are any attacks in the query.
* Throw if there are any attacks in the post body.
* Build up OAuth parameter list.
* Sign it.
* Add OAuth parameters to new request.
* Send it.
*/
public HttpRequest sanitizeAndSign(HttpRequest base, List<Parameter> params, boolean tokenEndpoint) throws OAuthRequestException {
if (params == null) {
params = Lists.newArrayList();
}
UriBuilder target = new UriBuilder(base.getUri());
String query = target.getQuery();
target.setQuery(null);
params.addAll(sanitize(OAuth.decodeForm(query)));
switch(OAuthUtil.getSignatureType(tokenEndpoint, base.getHeader("Content-Type"))) {
case URL_ONLY:
break;
case URL_AND_FORM_PARAMS:
try {
params.addAll(sanitize(OAuth.decodeForm(base.getPostBodyAsString())));
} catch (IllegalArgumentException e) {
// Occurs if OAuth.decodeForm finds an invalid URL to decode.
throw new OAuthRequestException(OAuthError.INVALID_REQUEST, "Could not decode body", e);
}
break;
case URL_AND_BODY_HASH:
try {
byte[] body = IOUtils.toByteArray(base.getPostBody());
byte[] hash = DigestUtils.sha(body);
String b64 = new String(Base64.encodeBase64(hash), Charsets.UTF_8.name());
params.add(new Parameter(OAuthConstants.OAUTH_BODY_HASH, b64));
} catch (IOException e) {
throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error taking body hash", e);
}
break;
}
// authParams are parameters prefixed with 'xoauth' 'oauth' or 'opensocial',
// trusted parameters have ability to override these parameters.
List<Parameter> authParams = Lists.newArrayList();
addIdentityParams(authParams);
addSignatureParams(authParams);
overrideParameters(authParams);
params.addAll(authParams);
try {
OAuthMessage signed = OAuthUtil.newRequestMessage(accessorInfo.getAccessor(), base.getMethod(), target.toString(), params);
HttpRequest oauthHttpRequest = createHttpRequest(base, selectOAuthParams(signed));
// Following 302s on OAuth responses is unlikely to be productive.
oauthHttpRequest.setFollowRedirects(false);
return oauthHttpRequest;
} catch (OAuthException e) {
throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error signing message", e);
}
}
Aggregations