wrong PUT signing in 1.2, 1.2.1 and 1.2.1.1

[GoogleCodeExporter]

When I sign HttpUrlConnection witch has request method set to 'PUT', I get 
'401 Authorization Required' response from server. This happens with 
signpost-core-1.2, signpost-core-1.2.1, signpost-core-1.2.1.1
With signpost-core-1.1 it works correctly.

Other request methods works ok with all versions of library.

I'm using this library to communicate with http://blip.pl (but it's in Polish 
so I think that doesn't help)

Original issue reported on code.google.com by andrzej....@gmail.com on 23 Mar 2010 at 7:43

[GoogleCodeExporter]

You cannot include a PUT or POST body for message signing. This problem is a
consequence of how HttpURLConnection POSTs work. I already
commented on this issue here: http://groups.google.com/group/signpost-
users/msg/8c9c0b47de68d032

In a nutshell, the problem lies within how data is sent using a URLConnection 
type
request. URLConnection is based around streams. That means, as soon as you add a
payload to your message, you immediately send that data over the wire to the 
service
endpoint. There is no way for Signpost to consider that data for request 
signing,
because it's not buffered and already gone (or not yet there) when signing the 
message.

Hence, since POST/PUT params do not pass through message signing, authorization 
fails.

You can "fix" this by using a proper HTTP library such as Apache HttpClient.

Original comment by m.kaepp...@gmail.com on 23 Mar 2010 at 9:02

• Changed state: Duplicate

[GoogleCodeExporter]

I was sending parameters in request url not in body. But I changed code to use 
HttpPut from Apache Components.
It still doesn't work. I get 401. 

Here is template of code I'm running.

HttpPut put=new HttpPut("http://api.blip.pl/subscriptions/");
put.addHeader("Accept", "application/json");    //headers required by blip.pl api 
put.addHeader("X-Blip-api", "0.02");

List<NameValuePair> lst =new ArrayList<NameValuePair>(3);
lst.add(new BasicNameValuePair(...));   //some parameters

UrlEncodedFormEntity entity = new UrlEncodedFormEntity(lst);
put.setEntity(entity);

consumer.sign(put); //consumer is CommonsHttpOAuthConsumer instance

HttpClient httpClient = new DefaultHttpClient();
HttpResponse response = httpClient.execute(put);
System.out.println(response.getStatusLine());

When I switch to oauth-signpost 1.1 the same code gives response '200 OK'

Original comment by andrzej....@gmail.com on 23 Mar 2010 at 9:43

[GoogleCodeExporter]

No, you're not sending your parameters in the query string, you're sending them 
in
the PUT body (UrlEncodedFormEntity is an HttpEntity, which will always become 
message
payload).

You also forgot to set the content type of your message. Try this:

put.addHeader("Content-Type", "application/x-www-form-urlencoded").

Body parameters eligible for message signing MUST be declared as such, 
otherwise they
will be ignored (Signpost cannot simply guess at what kind of data you're 
sending).

Original comment by m.kaepp...@gmail.com on 23 Mar 2010 at 9:55

[GoogleCodeExporter]

Adding this header didn't help. I'm still getting 401

Original comment by andrzej....@gmail.com on 23 Mar 2010 at 12:48

[GoogleCodeExporter]

Okay, that's odd. Can you start your app using the -Ddebug flag and send me its
output plus the full stack trace please?

Meanwhile, please make absolutely sure that this is not a problem with the Blip 
API,
or that you forgot to add provider specific parameters they expect (I often get 
bug
reports which turn out to be simple misuse of the providers service API, and it 
saves
me a lot of time if people verify this upfront).

Thanks for your help!

Original comment by m.kaepp...@gmail.com on 23 Mar 2010 at 1:03

[GoogleCodeExporter]

Also, please inspect the response body, maybe Blip sends a reason XML in the
response. You can do that by calling ex.getResponseBody() on the
OAuthNotAuthorizedException (see
http://kaeppler.github.com/signpost/signpost-core-apidocs/oauth/signpost/excepti
on/OAuthNotAuthorizedException.html)

Original comment by m.kaepp...@gmail.com on 23 Mar 2010 at 1:04

[GoogleCodeExporter]

I don't get any exception while executing code, just get HttpResponse object 
with 
error status.
When I run attached code with -Ddebug option I get:
[SIGNPOST] SBS: 
PUT&http%3A%2F%2Fapi.blip.pl%2Fsubscriptions%2Ftestoauth2&oauth_consumer_key%3Dp
MAuh2
BHaAnCtu3ITL57%26oauth_nonce%3D7213604546159868859%26oauth_signature_method%3DHM
AC-
SHA1%26oauth_timestamp%3D1269416190%26oauth_token%3DzZwYMFTnKF7Pvk9XyEQ%26oauth_
versi
on%3D1.0%26subscription%25255Bim%25255D%3D%26subscription%25255Bwww%25255D%3D
[SIGNPOST] signature: +SGTuNJ7DHtDCVVDDjnbT8RiFgU=
[SIGNPOST] Auth header: OAuth oauth_token="zZwYMFTnKF7Pvk9XyEQ", 
oauth_consumer_key="pMAuh2BHaAnCtu3ITL57", oauth_version="1.0", 
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1269416190", 
oauth_nonce="7213604546159868859", 
oauth_signature="%2BSGTuNJ7DHtDCVVDDjnbT8RiFgU%3D"
[SIGNPOST] Request URL: http://api.blip.pl/subscriptions/testoauth2?
subscription%5bwww%5D=1&subscription%5Bim%5D=0
2010-03-24 08:36:31 org.apache.http.impl.client.DefaultRequestDirector 
handleResponse
WARNING: Authentication error: Unable to respond to any of these challenges: {}

STATUS LINE:
HTTP/1.1 401 Authorization Required

RESPONSE BODY:
{"error":{"name":"unauthorized"}}

When I execute the same code (only with changed creation statement of 
OAuthConsumer) 
and use older version of signpost (1.1) the result is:

STATUS LINE:
HTTP/1.1 200 OK

RESPONSE BODY:
{}

(and no debugging information)

I assume it's not problem with misuse of API, because it works with older 
version of 
library and with oauth-signpost-1.1 the operation takes effect in the service.
I also checked this operation using basic authorization (base64 encoded login 
and 
password) to check if I supply all needed parameters and it also works.

Original comment by andrzej....@gmail.com on 24 Mar 2010 at 7:45

Attachments:

• Main.java

[GoogleCodeExporter]

okay thanks, I'll see if I can reproduce this

Original comment by m.kaepp...@gmail.com on 25 Mar 2010 at 8:51

• Changed state: New

[GoogleCodeExporter]

I am having similar issue with PUT request but POST works.
I am getting 401: Unauthorized with error saying Digital Signature is wrong.

Here are Headers after Http Request is Signed

[Authorization: OAuth 
oauth_version="1.0",oauth_nonce="4926719761334",oauth_signature_method="HMAC-
SHA1",oauth_consumer_key="eb53904909d844bdad05bb74d26ad24b",oauth_token="yDWJePt
2UryC
uI%2BXYa9r5u8euaiYP8bDWUGQ%2BxjxDRUvERWmz4MRofz9G38qKrOjetXErT%2B9dkHqTKbiYw0mdK
l7%
2BtubivY35yZHX9WUjHQ%3D",oauth_timestamp="1273620454",oauth_signature="tv%
2FgqEfA2ozH28xd1NFMFXi%2BeVQ%3D"]

Here is body content from Http Response

{"statusCode":"401","statusDescription":"Invalid digital signature for base 
string: 
\"PUT&http%3A%2F%2Fopensocial.myspace.com%2Froa%2F09%2Fstatusmood%2F%40me%2F%
40self&oauth_consumer_key%3Deb53904909d844bdad05bb74d26ad24b%26oauth_nonce%
3D4108835340688%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1273619
636%
26oauth_token%3DyDWJePt2UryCuI%2BXYa9r5u8euaiYP8bDWUGQ%
2BxjxDRUvERWmz4MRofz9G38qKrOjetXErT%2B9dkHqTKbiYw0mdKl7%2BtubivY35yZHX9WUjHQ%3D%
26oauth_version%3D1.0\""}

I m using HttpPut from org.apache

HttpPut httpRequest = new HttpPut(mUrl);
StringEntity body = new StringEntity(mPostBody);
body.setContentType("application/x-www-form-urlencoded");
httpRequest.setEntity(body);

Original comment by nilesh.r...@gmail.com on 12 May 2010 at 12:08

[GoogleCodeExporter]

Has anybody found a way to get this working?

I'm trying to use OAuth and Put requests from an Android App, but no luck. 
Normal requests work just fine. (yes, I'm using HttpPut, not the basic stuff)

I also tried using version 1.1 of the libraries, but that didn't work either. :(

Original comment by s...@google.com on 15 Aug 2012 at 8:06

[GoogleCodeExporter]

I have the same problems with HttpPut, post works fine. Almost same code as in
http://code.google.com/p/oauth-signpost/issues/detail?id=35#c7

This is not related to the HttpUrlConnection problem that it was reported as 
before.

signpost-core 1.2.1.2
signpost-commonshttp4-1.2.1.1

Tried different versions of signpost-core no change.

Original comment by anderswid@gmail.com on 23 Sep 2012 at 5:12

[GoogleCodeExporter]

I might have some more information about this issue.

Oauth 1.0 had an error/bug in the specification saying that for HTTP Put/Delete 
HTTP Body parameters shouldn't be signed. It was later fixed in newer versions 
of the specification but some servers implemented it as it said.

Signpost will use all body-parameters for singing if the Content-Type of the 
HttpEntity contains "application/x-www-form-urlencoded". Which will be 
incorrect if the server doesn't expect them to be part of the signing. Giving a 
401 error (incorrect signature)

Using UrlEncodedFormEntity when setting the http-body-parameters in your 
request will automatically set the Content-Type to the above. Instead create 
the body-string manually and use a StringEntity which will not affect the 
Content-Type and signpost won't use the parameters when signing. Leaving the 
server happy.

I don't think this is an issue of signpost, but it could be handled with a flag 
somewhere in the signing procedure. signBodyParameters(boolean), defaults to 
true.

Original comment by anderswid@gmail.com on 24 Sep 2012 at 2:44