I’m happy to report that we’ve fixed an issue in the percent encoding step of our OAuth signature library for the Jersey framework. The issue reported was caused by the fact that we were using Java’s URLEncoder and URLDecoder classes to compute OAuth’s signature base string. Unfortunately those classes do not perform an RFC3986 compliant encoding which is required in OAuth. The main difference is that a space character will be encoded as a + when we need it to be escaped as a %20 (more info here).
To fix this, we’ve chosen to leverage Jersey’s UriComponent class. There is one notable difference though with how one would encode a URI (see here for a very detailed explanation of URIs): OAuth says that the signature base string is built by concatenating the request method, the request URL and the normalized parameters (with & to separate them) and that those elements must be encoded (prior to concatenation). In effect we are re-encoding elements that are already encoded. As Paul noted, it’s as if we wanted to pass the signature base string in a URI… I remember this possibility was mentioned in conversations about debugging OAuth deployment but that’s the only case I remember for this.
Anyway, to illustrate this, below is the piece of code where the bulk of the action happens:
StringBuffer buf = new StringBuffer(request.getRequestMethod().toUpperCase());
URI uri = constructRequestURL(request);
String tp = uri.getScheme();
buf.append('&').append(UriComponent.encode(tp, UriComponent.Type.SCHEME));
tp = uri.getAuthority();
buf.append("%3A%2F%2F").append(UriComponent.encode(tp, UriComponent.Type.AUTHORITY));
tp = uri.getPath();
buf.append(UriComponent.encode(tp, UriComponent.Type.PATH_SEGMENT));
buf.append('&').append(UriComponent.encode(normalizeParameters(request, params), UriComponent.Type.QUERY_PARAM));
Our testing code now also includes elements with spaces to make sure we got it right (thanks to Michael Werle).
February 17, 2010 at 18:36
Hubert,
Our firm is recruiting for a Middleware Software Company in San Francisco, Ca.
They are looking for Java Open Source stars that speak at conferences, lead projects, blog, and are well known in this world.
LinkedIn has you local to Silicon Valley?
Please let me know if you or any of your contacts in Silicon Valley would like to speak with me.
Thank you
Dave Haverstick
Triad Group
daveh@triadgroup.com
March 11, 2010 at 14:16
Hello Dave,
Thank you for your offer; I’m currently based in France.
Please do contact me if you know of positions that would
accommodate me being in France (While at Sun Microsystems,
I have been telecommuting from here with my California-based team;
so I know it can be done).
Best Regards,
Hubert
August 3, 2010 at 18:49
Hi Hubert,
This confuses me a little. As best I can tell, UriComponent’s encode for type QUERY_PARAM also uses the plus sign instead of %20, so when I try to use plain jersey without the OAuth module (with the signature being done properly), the proper signature still does not match the plus signs that WebResoure.queryParam will insert. Am I missing something important here?
Thanks.