liaolzy / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

JAVA library: Custom parameter placement #98

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Try to supply a custom parameter in the HTTP header, e.g. like this:

Map<String, String> p = new HashMap<String, String>();
p.put( "X-somekey", "somevalue" );
request = accessor.newRequestMessage( OAuthMessage.DELETE, url, p.entrySet() );
response = client.invoke( request, ParameterStyle.AUTHORIZATION_HEADER );

What is the expected output? What do you see instead?
Expected: Parameters are put into the HTTP header
Instead: Parameters are put into the GET string

What version of the product are you using? On what operating system?
r958 on Linux

Please provide any additional information below.
I think it would be best if one could set parameters (which are sent as
GET/POST values) and additional headers separately. I can see no reason why
it should not be possible to use custom HTTP headers while OAuth uses its
own HTTP headers at the same time.

Background: We are using this library for a RESTful API, where GET
parameters are inappropriate, and HTTP headers should be used instead. As a
workaround, we have made our server accept GET or POST parameters, but that
should remain a temporary solution.

Original issue reported on code.google.com by gubler.d...@gmail.com on 15 Apr 2009 at 10:01

GoogleCodeExporter commented 9 years ago

Original comment by morten.f...@gmail.com on 16 May 2009 at 2:54

GoogleCodeExporter commented 9 years ago
You can set parameters and headers separately.  You can change the given 
example to:

request = accessor.newRequestMessage(OAuthMessage.DELETE, url, null);
request.getHeaders().addAll(p.entrySet()); // HTTP request headers
response = ... (as above)

Warning: HTTP request headers aren't signed; that is, the headers aren't 
included in 
the OAuth Signature Base String.  So, they're vulnerable to tampering.

ParameterStyle.AUTHORIZATION_HEADER is designed for a different purpose; that 
is to 
send the OAuth parameters in an HTTP request header named 'Authorization', as 
specified in OAuth Core section 5.4.1 (Authorization Header).

Original comment by jmkrist...@gmail.com on 29 May 2009 at 4:55