1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
/*
* Copyright 2008 Google, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.oauth;
import java.io.IOException;
import java.net.URISyntaxException;
import net.oauth.signature.OAuthSignatureMethod;
/**
* A simple OAuthValidator, which checks the version, whether the timestamp
* is close to now and the signature is valid. Each check may be overridden.
*
* @author Dirk Balfanz
* @author John Kristian
* @hide
*/
public class SimpleOAuthValidator implements OAuthValidator {
// default window for timestamps is 5 minutes
public static final long DEFAULT_TIMESTAMP_WINDOW = 5 * 60 * 1000L;
/**
* Construct a validator that rejects messages more than five minutes out
* of date, or with a OAuth version other than 1.0, or with an invalid
* signature.
*/
public SimpleOAuthValidator() {
this(DEFAULT_TIMESTAMP_WINDOW, Double.parseDouble(OAuth.VERSION_1_0));
}
/**
* Public constructor.
*
* @param timestampWindowSec
* specifies, in seconds, the windows (into the past and
* into the future) in which we'll accept timestamps.
* @param maxVersion
* the maximum acceptable oauth_version
*/
public SimpleOAuthValidator(long timestampWindowMsec, double maxVersion) {
this.timestampWindow = timestampWindowMsec;
this.maxVersion = maxVersion;
}
protected final double minVersion = 1.0;
protected final double maxVersion;
protected final long timestampWindow;
/** {@inherit}
* @throws URISyntaxException */
public void validateMessage(OAuthMessage message, OAuthAccessor accessor)
throws OAuthException, IOException, URISyntaxException {
validateVersion(message);
validateTimestampAndNonce(message);
validateSignature(message, accessor);
}
protected void validateVersion(OAuthMessage message)
throws OAuthException, IOException {
String versionString = message.getParameter(OAuth.OAUTH_VERSION);
if (versionString != null) {
double version = Double.parseDouble(versionString);
if (version < minVersion || maxVersion < version) {
OAuthProblemException problem = new OAuthProblemException("version_rejected");
problem.setParameter("oauth_acceptable_versions", minVersion + "-" + maxVersion);
throw problem;
}
}
}
/** This implementation doesn't check the nonce value. */
protected void validateTimestampAndNonce(OAuthMessage message)
throws IOException, OAuthProblemException {
message.requireParameters(OAuth.OAUTH_TIMESTAMP, OAuth.OAUTH_NONCE);
long timestamp = Long.parseLong(message.getParameter(OAuth.OAUTH_TIMESTAMP)) * 1000L;
long now = currentTimeMsec();
long min = now - timestampWindow;
long max = now + timestampWindow;
if (timestamp < min || max < timestamp) {
OAuthProblemException problem = new OAuthProblemException("timestamp_refused");
problem.setParameter("oauth_acceptable_timestamps", min + "-" + max);
throw problem;
}
}
protected void validateSignature(OAuthMessage message, OAuthAccessor accessor)
throws OAuthException, IOException, URISyntaxException {
message.requireParameters(OAuth.OAUTH_CONSUMER_KEY,
OAuth.OAUTH_SIGNATURE_METHOD, OAuth.OAUTH_SIGNATURE);
OAuthSignatureMethod.newSigner(message, accessor).validate(message);
}
protected long currentTimeMsec() {
return System.currentTimeMillis();
}
}
|
