/* * Copyright 2008 Google, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package net.oauth; import java.io.IOException; import java.net.URISyntaxException; import net.oauth.signature.OAuthSignatureMethod; /** * A simple OAuthValidator, which checks the version, whether the timestamp * is close to now and the signature is valid. Each check may be overridden. * * @author Dirk Balfanz * @author John Kristian * @hide */ public class SimpleOAuthValidator implements OAuthValidator { // default window for timestamps is 5 minutes public static final long DEFAULT_TIMESTAMP_WINDOW = 5 * 60 * 1000L; /** * Construct a validator that rejects messages more than five minutes out * of date, or with a OAuth version other than 1.0, or with an invalid * signature. */ public SimpleOAuthValidator() { this(DEFAULT_TIMESTAMP_WINDOW, Double.parseDouble(OAuth.VERSION_1_0)); } /** * Public constructor. * * @param timestampWindowSec * specifies, in seconds, the windows (into the past and * into the future) in which we'll accept timestamps. * @param maxVersion * the maximum acceptable oauth_version */ public SimpleOAuthValidator(long timestampWindowMsec, double maxVersion) { this.timestampWindow = timestampWindowMsec; this.maxVersion = maxVersion; } protected final double minVersion = 1.0; protected final double maxVersion; protected final long timestampWindow; /** {@inherit} * @throws URISyntaxException */ public void validateMessage(OAuthMessage message, OAuthAccessor accessor) throws OAuthException, IOException, URISyntaxException { validateVersion(message); validateTimestampAndNonce(message); validateSignature(message, accessor); } protected void validateVersion(OAuthMessage message) throws OAuthException, IOException { String versionString = message.getParameter(OAuth.OAUTH_VERSION); if (versionString != null) { double version = Double.parseDouble(versionString); if (version < minVersion || maxVersion < version) { OAuthProblemException problem = new OAuthProblemException("version_rejected"); problem.setParameter("oauth_acceptable_versions", minVersion + "-" + maxVersion); throw problem; } } } /** This implementation doesn't check the nonce value. */ protected void validateTimestampAndNonce(OAuthMessage message) throws IOException, OAuthProblemException { message.requireParameters(OAuth.OAUTH_TIMESTAMP, OAuth.OAUTH_NONCE); long timestamp = Long.parseLong(message.getParameter(OAuth.OAUTH_TIMESTAMP)) * 1000L; long now = currentTimeMsec(); long min = now - timestampWindow; long max = now + timestampWindow; if (timestamp < min || max < timestamp) { OAuthProblemException problem = new OAuthProblemException("timestamp_refused"); problem.setParameter("oauth_acceptable_timestamps", min + "-" + max); throw problem; } } protected void validateSignature(OAuthMessage message, OAuthAccessor accessor) throws OAuthException, IOException, URISyntaxException { message.requireParameters(OAuth.OAUTH_CONSUMER_KEY, OAuth.OAUTH_SIGNATURE_METHOD, OAuth.OAUTH_SIGNATURE); OAuthSignatureMethod.newSigner(message, accessor).validate(message); } protected long currentTimeMsec() { return System.currentTimeMillis(); } }