From c961594d1b9221db6851a2e3e331d1e4aa05628d Mon Sep 17 00:00:00 2001 From: pastith Date: Tue, 24 Mar 2009 13:42:11 +0000 Subject: [PATCH] Avoid signature mismatch issues by using the request URI as sent by the client, before the container gets a chance to tinker with it. --- .../gr/ebs/gss/client/rest/AbstractRestCommand.java | 18 ++++++++---------- gss/src/gr/ebs/gss/server/rest/FilesHandler.java | 12 ++++++++++-- gss/src/gr/ebs/gss/server/rest/RequestHandler.java | 11 +++++------ gss/test/rest-api-test.html | 6 +++--- 4 files changed, 26 insertions(+), 21 deletions(-) diff --git a/gss/src/gr/ebs/gss/client/rest/AbstractRestCommand.java b/gss/src/gr/ebs/gss/client/rest/AbstractRestCommand.java index eff2d96..557af0f 100644 --- a/gss/src/gr/ebs/gss/client/rest/AbstractRestCommand.java +++ b/gss/src/gr/ebs/gss/client/rest/AbstractRestCommand.java @@ -59,17 +59,15 @@ public abstract class AbstractRestCommand implements IncrementalCommand{ public static native String getDate()/*-{ return (new Date()).toUTCString(); }-*/; - //return $wnd.sayHello(method,date,resource,token); - public static native String calculateSig(String method, String date, String resource, String token)/*-{ - $wnd.b64pad = "="; - var resource2 = decodeURI(resource); - var q = resource2.indexOf('?'); - var res = q == -1? resource2: resource2.substring(0, q); - var data = method + date + encodeURIComponent(decodeURIComponent(res)); - var sig = $wnd.b64_hmac_sha1(token, data); - return sig; -}-*/; + public static native String calculateSig(String method, String date, String resource, String token)/*-{ + $wnd.b64pad = "="; + var q = resource.indexOf('?'); + var res = q == -1? resource: resource.substring(0, q); + var data = method + date + res; + var sig = $wnd.b64_hmac_sha1(token, data); + return sig; + }-*/; public static native String base64decode(String encStr)/*-{ if (typeof atob === 'function') { diff --git a/gss/src/gr/ebs/gss/server/rest/FilesHandler.java b/gss/src/gr/ebs/gss/server/rest/FilesHandler.java index 21310a2..e269d68 100644 --- a/gss/src/gr/ebs/gss/server/rest/FilesHandler.java +++ b/gss/src/gr/ebs/gss/server/rest/FilesHandler.java @@ -246,8 +246,12 @@ public class FilesHandler extends RequestHandler { } req.setAttribute(USER_ATTRIBUTE, user); + // Remove the servlet path from the request URI. + String p = req.getRequestURI(); + String servletPath = req.getContextPath() + req.getServletPath(); + p = p.substring(servletPath.length()); // Validate the signature in the Authorization parameter. - String data = req.getMethod() + dateParam + URLEncoder.encode(req.getPathInfo(), "UTF-8"); + String data = req.getMethod() + dateParam + p; if (!isSignatureValid(signature, user, data)) { resp.sendError(HttpServletResponse.SC_FORBIDDEN); return; @@ -761,8 +765,12 @@ public class FilesHandler extends RequestHandler { } request.setAttribute(USER_ATTRIBUTE, user); + // Remove the servlet path from the request URI. + String p = request.getRequestURI(); + String servletPath = request.getContextPath() + request.getServletPath(); + p = p.substring(servletPath.length()); // Validate the signature in the Authorization parameter. - String data = request.getMethod() + dateParam + URLEncoder.encode(request.getPathInfo(), "UTF-8"); + String data = request.getMethod() + dateParam + p; if (!isSignatureValid(signature, user, data)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; diff --git a/gss/src/gr/ebs/gss/server/rest/RequestHandler.java b/gss/src/gr/ebs/gss/server/rest/RequestHandler.java index 96bc2a5..74324ad 100644 --- a/gss/src/gr/ebs/gss/server/rest/RequestHandler.java +++ b/gss/src/gr/ebs/gss/server/rest/RequestHandler.java @@ -31,7 +31,6 @@ import java.io.IOException; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.io.UnsupportedEncodingException; -import java.net.URLEncoder; import java.util.Calendar; import java.util.Enumeration; import java.util.HashMap; @@ -605,11 +604,11 @@ public class RequestHandler extends Webdav { String dateHeader = useGssDateHeader? request.getHeader(GSS_DATE_HEADER): request.getHeader(DATE_HEADER); String data; - try { - data = request.getMethod() + dateHeader + URLEncoder.encode(request.getPathInfo(), "UTF-8"); - } catch (UnsupportedEncodingException e) { - throw new RuntimeException(e); - } + // Remove the servlet path from the request URI. + String p = request.getRequestURI(); + String servletPath = request.getContextPath() + request.getServletPath(); + p = p.substring(servletPath.length()); + data = request.getMethod() + dateHeader + p; return isSignatureValid(signature, user, data); } diff --git a/gss/test/rest-api-test.html b/gss/test/rest-api-test.html index 1db8ebb..91bc472 100644 --- a/gss/test/rest-api-test.html +++ b/gss/test/rest-api-test.html @@ -9,7 +9,7 @@ function send() { // Use strict RFC compliance b64pad = "="; - var resource = decodeURI(document.getElementById("resource").value); + var resource = document.getElementById("resource").value; var user = document.getElementById("user").value; var token = document.getElementById("token").value; var method = document.getElementById("method").value; @@ -23,7 +23,7 @@ function send() { var now = (new Date()).toUTCString(); var q = resource.indexOf('?'); var res = q == -1? resource: resource.substring(0, q); - var data = method + now + encodeURIComponent(decodeURIComponent(res)); + var data = method + now + res; var sig = b64_hmac_sha1(atob(token), data); if (form) params = form; @@ -35,7 +35,7 @@ function send() { var formdate = document.getElementById('formdate'); var formauth = document.getElementById('formauth'); res = resource+formfile.value; - data = 'POST' + now + encodeURIComponent(decodeURIComponent(res)); + data = 'POST' + now + encodeURI(decodeURI(res)); sig = b64_hmac_sha1(atob(token), data); formauth.value = user + " " + sig; formdate.value = now; -- 1.7.10.4