Invalid signature when POSTing multi-part entity

[GoogleCodeExporter]

Hi,
I have a web app on which users can upload sounds and get information about the 
uploaded sounds via an API, I can do the GET calls without any problem but when 
I try to post data using a multi-part entity containing a StringBody and a 
FileBody, I get an error on the server side telling me:

Invalid signature. Expected signature base string: POST&http%3A%2F%2F192.168.10.
150%3A8000%2Fanalysis%2Fapi%2Fsoundfiles%2F&oauth_consumer_key%3DTXRBUbHitbUvZf6
Cb5%26oauth_nonce%3D2935052448841531910%26oauth_signature_method%3DHMAC-SHA1%26o
auth_timestamp%3D1276151335%26oauth_token%3Dcs8Achu5NzxkfDq7jL%26oauth_version%3
D1.0%26type%3Daudio

and on the client side, I get this:
W/DefaultRequestDirector( 8761): Authentication error: Unable to respond to any 
of these challenges: {oauth=WWW-Authenticate: OAuth realm="API"}

The post signing works fine when I am sending just a POST with an empty  
MultiPartEntity, I just get a 500 from my server complaining that the post data 
isn't here but that's normal.

Here is the code that reproduces it:

CommonsHttpOAuthConsumer postConsumer = new 
CommonsHttpOAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET);
postConsumer.setTokenWithSecret(token, token_secret);
HttpPost httpPost = new HttpPost(url);
postConsumer.sign(httpPost);
MultipartEntity reqEntity = new MultipartEntity(HttpMultipartMode.STRICT);
reqEntity.addPart("type", new StringBody("audio"));
reqEntity.addPart("file", new FileBody(new File(filepath)));
httpPost.setEntity(reqEntity);
HttpClient client = new DefaultHttpClient();
client.execute(httpPost);

I am using an android 1.6 device, Apache HttpClient 4.x. the OAuth server part 
is handled by django-piston.
The code is globally taken from  what is written for twitter on the wiki and 
group 
(http://groups.google.com/group/signpost-users/browse_thread/thread/6acf09d532d7
41d?pli=1).

Original issue reported on code.google.com by timothe....@gmail.com on 10 Jun 2010 at 6:38

[GoogleCodeExporter]

Hi,
Looks like an issue in the django-piston server which appends the "type=audio" 
parameter to the signature base (parsing it from the request body). You can 
always add:

System.setProperty("debug", "1");

and then "adb logcat" in a shell to see what signPost thinks the signature base 
(SBS) is. I suspect a mismatch.

Original comment by andy.loa...@gmail.com on 27 Nov 2010 at 3:38

[GoogleCodeExporter]

Hi,

Is there any fix for this?
I'm also trying to upload a file using multipart to a rest url but I'm getting 
invalid signature error though it works very well for simple get requests.

Thanks,
Hemant

Original comment by rajput.h...@gmail.com on 11 Feb 2011 at 10:44

[GoogleCodeExporter]

Hi,

I can only say that we use Signpost in the Qype app to upload images using 
multipart requests with no problems. I'm not maintaining this library anymore 
and I haven't yet found someone willing to take it over, so there will be no 
fixes coming up in the near future.

Original comment by m.kaepp...@gmail.com on 11 Feb 2011 at 12:47

[GoogleCodeExporter]

I understand you are not maintaining the code anymore but can you post the java 
that works with MultiPartEntity.  

I have signpost working great with 1.2.1.1  and the http apache commons when 
pushing a file with no metadata in a single entity to google, but when i set it 
to multi-part and try to add two parts to the post to picasa (one with Metadata 
atom+xml and one with the file) I get 'Unknown authorization header' with a 403 
forbidden.  Same headers, authorization, etc that works for just pushing the 
file with no title and filename, etc.

If you could post your java that works it would be most helpful.  

THanks a lot for a great class and all your work!
Matt

Original comment by mkoc...@gmail.com on 7 Apr 2011 at 1:33

[GoogleCodeExporter]

Trust me when I say: there is nothing OAuth specific about sending multipart 
requests. OAuth takes a request's fingerprint over its request parameters, the 
URL, and the HTTP verb. The payload is completely ignored, unless it contains 
parameters as a query string (form encoded).

I don't think it makes sense to post my code here, since we use a generic 
request interceptor to sign requests. It doesn't matter what the request 
contains. Instead, try running your app with the -Ddebug flag set. This will 
make Signpost print its SBS and Auth header to standard out, so you can compare 
it to what your service providers expects.

Original comment by m.kaepp...@gmail.com on 7 Apr 2011 at 7:14