net.oauth
Class SimpleOAuthValidator

java.lang.Object
  net.oauth.SimpleOAuthValidator

All Implemented Interfaces:

OAuthValidator

public class SimpleOAuthValidator
extends java.lang.Object
implements OAuthValidator

A simple OAuthValidator, which checks the version, whether the timestamp is close to now, the nonce hasn't been used before and the signature is valid. Each check may be overridden.

This implementation is less than industrial strength:

• Duplicate nonces won't be reliably detected by a service provider running in multiple processes, since the used nonces are stored in memory.
• The collection of used nonces is a synchronized choke point
• The used nonces may occupy lots of memory, although you can minimize this by calling releaseGarbage periodically.
• The range of acceptable timestamps can't be changed, and there's no system for increasing the range smoothly.
• Correcting the clock backward may allow duplicate nonces.

For a big service provider, it might be better to store used nonces in a database.

Author:

Dirk Balfanz, John Kristian

Field Summary

static long	DEFAULT_MAX_TIMESTAMP_AGE The default maximum age of timestamps is 5 minutes.
static long	DEFAULT_TIMESTAMP_WINDOW
protected long	maxTimestampAgeMsec
protected double	maxVersion
protected double	minVersion
static java.util.Set<java.lang.String>	SINGLE_PARAMETERS Names of parameters that may not appear twice in a valid message.

Constructor Summary

SimpleOAuthValidator()
Construct a validator that rejects messages more than five minutes old or with a OAuth version other than 1.0.

SimpleOAuthValidator(long maxTimestampAgeMsec, double maxVersion)
Public constructor.

Method Summary

protected void	checkSingleParameters(OAuthMessage message) Throw an exception if any SINGLE_PARAMETERS occur repeatedly.
protected long	currentTimeMsec() Get the number of milliseconds since midnight, January 1, 1970 UTC.
java.util.Date	releaseGarbage() Allow objects that are no longer useful to become garbage.
void	validateMessage(OAuthMessage message, OAuthAccessor accessor)
protected java.util.Date	validateNonce(OAuthMessage message, long timestamp, long currentTimeMsec) Throw an exception if the nonce has been validated previously.
protected void	validateSignature(OAuthMessage message, OAuthAccessor accessor)
protected void	validateTimestamp(OAuthMessage message, long timestamp, long currentTimeMsec) Throw an exception if the timestamp [sec] is out of range.
protected void	validateTimestampAndNonce(OAuthMessage message) Throw an exception if the timestamp is out of range or the nonce has been validated previously.
protected void	validateVersion(OAuthMessage message)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_MAX_TIMESTAMP_AGE

public static final long DEFAULT_MAX_TIMESTAMP_AGE

The default maximum age of timestamps is 5 minutes.

See Also:

Constant Field Values

DEFAULT_TIMESTAMP_WINDOW

public static final long DEFAULT_TIMESTAMP_WINDOW

See Also:

Constant Field Values

SINGLE_PARAMETERS

public static final java.util.Set<java.lang.String> SINGLE_PARAMETERS

Names of parameters that may not appear twice in a valid message. This limitation is specified by OAuth Core section 5.

minVersion

protected final double minVersion

See Also:

Constant Field Values

maxVersion

protected final double maxVersion

maxTimestampAgeMsec

protected final long maxTimestampAgeMsec

Constructor Detail

SimpleOAuthValidator

public SimpleOAuthValidator()

Construct a validator that rejects messages more than five minutes old or with a OAuth version other than 1.0.

SimpleOAuthValidator

public SimpleOAuthValidator(long maxTimestampAgeMsec,
                            double maxVersion)

Public constructor.

Parameters:

maxTimestampAgeMsec - the range of valid timestamps, in milliseconds into the past or future. So the total range of valid timestamps is twice this value, rounded to the nearest second.

maxVersion - the maximum valid oauth_version

Method Detail

releaseGarbage

public java.util.Date releaseGarbage()

Allow objects that are no longer useful to become garbage.

Returns:

the earliest point in time at which another call will release some garbage, or null to indicate there's nothing currently stored that will become garbage in future. This value may change, each time releaseGarbage or validateNonce is called.

validateMessage

public void validateMessage(OAuthMessage message,
                            OAuthAccessor accessor)
                     throws OAuthException,
                            java.io.IOException,
                            java.net.URISyntaxException

Specified by:

validateMessage in interface OAuthValidator

Throws:

java.net.URISyntaxException

OAuthException - the message doesn't conform to OAuth. The exception contains information that conforms to the OAuth Problem Reporting extension.

java.io.IOException - the message couldn't be read.

checkSingleParameters

protected void checkSingleParameters(OAuthMessage message)
                              throws java.io.IOException,
                                     OAuthException

Throw an exception if any SINGLE_PARAMETERS occur repeatedly.

Throws:

java.io.IOException

OAuthException

validateVersion

protected void validateVersion(OAuthMessage message)
                        throws OAuthException,
                               java.io.IOException

Throws:

OAuthException

java.io.IOException

validateTimestampAndNonce

protected void validateTimestampAndNonce(OAuthMessage message)
                                  throws java.io.IOException,
                                         OAuthProblemException

Throw an exception if the timestamp is out of range or the nonce has been validated previously.

Throws:

java.io.IOException

OAuthProblemException

validateTimestamp

protected void validateTimestamp(OAuthMessage message,
                                 long timestamp,
                                 long currentTimeMsec)
                          throws java.io.IOException,
                                 OAuthProblemException

Throw an exception if the timestamp [sec] is out of range.

Throws:

java.io.IOException

OAuthProblemException

validateNonce

protected java.util.Date validateNonce(OAuthMessage message,
                                       long timestamp,
                                       long currentTimeMsec)
                                throws java.io.IOException,
                                       OAuthProblemException

Throw an exception if the nonce has been validated previously.

Returns:

the earliest point in time at which a call to releaseGarbage will actually release some garbage, or null to indicate there's nothing currently stored that will become garbage in future.

Throws:

java.io.IOException

OAuthProblemException

validateSignature

protected void validateSignature(OAuthMessage message,
                                 OAuthAccessor accessor)
                          throws OAuthException,
                                 java.io.IOException,
                                 java.net.URISyntaxException

Throws:

OAuthException

java.io.IOException

java.net.URISyntaxException

currentTimeMsec

protected long currentTimeMsec()

Get the number of milliseconds since midnight, January 1, 1970 UTC.