org.apache.shindig.gadgets.oauth
Class OAuthRequest

java.lang.Object
  org.apache.shindig.gadgets.oauth.OAuthRequest

public class OAuthRequest
extends Object

Implements both signed fetch and full OAuth for gadgets, as well as a combination of the two that is necessary to build OAuth enabled gadgets for social sites. Signed fetch sticks identity information in the query string, signed either with the container's private key, or else with a secret shared between the container and the gadget. Full OAuth redirects the user to the OAuth service provider site to obtain the user's permission to access their data. Read the example in the appendix to the OAuth spec for a summary of how this works (The spec is at http://oauth.net/core/1.0/). The combination protocol works by sending identity information in all requests, and allows the OAuth dance to happen as well when owner == viewer (by default) or for any viewer when the OAuthFetcherConfig#isViewerAccessTokensEnabled parameter is true. This lets OAuth service providers build up an identity mapping from ids on social network sites to their own local ids.

Field Summary

protected AccessorInfo	accessorInfo The accessor we use for signing messages.
protected Map<String,String>	accessTokenData Data returned along with OAuth access token, null if this is not an access token request
protected static Pattern	ALLOWED_PARAM_NAME
protected OAuthClientState	clientState State information from client
protected OAuthFetcherConfig	fetcherConfig Configuration options for the fetcher.
protected static String	OPENSOCIAL_APPID
protected static String	OPENSOCIAL_APPURL
protected static String	OPENSOCIAL_INSTANCE_ID
protected static String	OPENSOCIAL_OWNERID
protected static String	OPENSOCIAL_PROXIED_CONTENT
protected static String	OPENSOCIAL_VIEWERID
protected HttpRequest	realRequest The request the client really wants to make.
protected OAuthResponseParams	responseParams OAuth specific stuff to include in the response.
static String	XOAUTH_APP_URL
protected static String	XOAUTH_PUBLIC_KEY_NEW
protected static String	XOAUTH_PUBLIC_KEY_OLD

Constructor Summary

OAuthRequest(OAuthFetcherConfig fetcherConfig, HttpFetcher fetcher)

OAuthRequest(OAuthFetcherConfig fetcherConfig, HttpFetcher fetcher, List<net.oauth.OAuth.Parameter> trustedParams)

Method Summary

protected boolean	allowParam(String paramName)
HttpResponse	fetch(HttpRequest request) OAuth authenticated fetch.
protected static boolean	isContainerInjectedParameter(String key)
HttpRequest	sanitizeAndSign(HttpRequest base, List<net.oauth.OAuth.Parameter> params, boolean tokenEndpoint) Start with an HttpRequest.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

XOAUTH_APP_URL

public static final String XOAUTH_APP_URL

See Also:

Constant Field Values

OPENSOCIAL_OWNERID

protected static final String OPENSOCIAL_OWNERID

See Also:

Constant Field Values

OPENSOCIAL_VIEWERID

protected static final String OPENSOCIAL_VIEWERID

See Also:

Constant Field Values

OPENSOCIAL_APPID

protected static final String OPENSOCIAL_APPID

See Also:

Constant Field Values

OPENSOCIAL_INSTANCE_ID

protected static final String OPENSOCIAL_INSTANCE_ID

See Also:

Constant Field Values

OPENSOCIAL_APPURL

protected static final String OPENSOCIAL_APPURL

See Also:

Constant Field Values

OPENSOCIAL_PROXIED_CONTENT

protected static final String OPENSOCIAL_PROXIED_CONTENT

See Also:

Constant Field Values

XOAUTH_PUBLIC_KEY_OLD

protected static final String XOAUTH_PUBLIC_KEY_OLD

See Also:

Constant Field Values

XOAUTH_PUBLIC_KEY_NEW

protected static final String XOAUTH_PUBLIC_KEY_NEW

See Also:

Constant Field Values

ALLOWED_PARAM_NAME

protected static final Pattern ALLOWED_PARAM_NAME

fetcherConfig

protected final OAuthFetcherConfig fetcherConfig

Configuration options for the fetcher.

clientState

protected OAuthClientState clientState

State information from client

responseParams

protected OAuthResponseParams responseParams

OAuth specific stuff to include in the response.

accessorInfo

protected AccessorInfo accessorInfo

The accessor we use for signing messages. This also holds metadata about the service provider, such as their URLs and the keys we use to access those URLs.

realRequest

protected HttpRequest realRequest

The request the client really wants to make.

accessTokenData

protected Map<String,String> accessTokenData

Data returned along with OAuth access token, null if this is not an access token request

Constructor Detail

OAuthRequest

public OAuthRequest(OAuthFetcherConfig fetcherConfig,
                    HttpFetcher fetcher)

Parameters:

fetcherConfig - configuration options for the fetcher

fetcher - fetcher to use for actually making requests

OAuthRequest

public OAuthRequest(OAuthFetcherConfig fetcherConfig,
                    HttpFetcher fetcher,
                    List<net.oauth.OAuth.Parameter> trustedParams)

Parameters:

fetcherConfig - configuration options for the fetcher

fetcher - fetcher to use for actually making requests

trustedParams - additional parameters to include in all outgoing OAuth requests, useful for client data that can't be pulled from the security token but is still trustworthy.

Method Detail

fetch

public HttpResponse fetch(HttpRequest request)

OAuth authenticated fetch.

allowParam

protected boolean allowParam(String paramName)

sanitizeAndSign

public HttpRequest sanitizeAndSign(HttpRequest base,
                                   List<net.oauth.OAuth.Parameter> params,
                                   boolean tokenEndpoint)
                            throws OAuthRequestException

Start with an HttpRequest. Throw if there are any attacks in the query. Throw if there are any attacks in the post body. Build up OAuth parameter list. Sign it. Add OAuth parameters to new request. Send it.

Throws:

OAuthRequestException

isContainerInjectedParameter

protected static boolean isContainerInjectedParameter(String key)