It's all about the answers!

Ask a question

OAuth access programatically to Doors/DWA


Jose Miguel Ordax Cassa (2.4k2126100) | asked Nov 23 '12, 8:16 a.m.
Hi, I am trying to invoke an OSLC service from Doors but I need OAuth dance before.
I get the Token successfully from: /dwa/oauth-request-token and I get an authorization URL from /dwa/oauth-authorize-token but the problem is that the URL I get:

/dwa/oauth?oauth_token=a4b085f4-c969-4d22-b888-7623f3fb28d4&oauth_verifier=RdwnBo

(where the token and the verifier will change) doesn't exist. I always get a HTTP 404.
Is it a wrong URL sent by DWA? Which one is correct?

I am using Doors Web Access 1.5.0.0 (Build 214)

Any help or comment?

Thanks a lot,

     Chemi.

6 answers



permanent link
Sudarshan Rao (1863) | answered Nov 23 '12, 10:00 a.m.
When do you get 404?
Your initial token seems to be authorized successfully since you get the verifier in the URL.
You need to use the oauth_verifier along with the initial token and token_secret and send the request to oauth_access_token URI - /dwa/oauth-access-token, to get the access token and token_secret.
Hope that helps..

Thanks,
Sudarshan

permanent link
Jose Miguel Ordax Cassa (2.4k2126100) | answered Nov 23 '12, 2:42 p.m.
Thanks for your comment Sudarshan.
I thought I should use that URL for the next step.... so I moved then to /dwa/oauth-access-token and I was able to progress I think. But now, at the end, when I invoke the final service I got:

HTTP Status 401 - Invalid signature for signature method HMAC-SHA1

Let me explain what I am trying to do and how I am doing it so perhaps you can help me further.
My objective is to invoke a service from Doors/DWA from a Java Client. And for that I need OAuth stuff to be solved first.

To develop such Java Client, I am using Apache HTTP Client and OAuth Google Code.

The steps I follow are:

1.- Login into DWA to authenticate and get the JSESSIONID Cookie.
2.- Request a OAuth Token
3.- Authorize the OAuth Token
4.- Get the access the Token
5.- Invoke my service.

I get the error in step 5.

Here are the details of each step (URL requested and HTTP Headers from the response). All of them are part of a single sequence.

1.- HTTP Authentication with the server. I request a normal page and then send the HTTP Form.

http://192.168.1.42:8080/dwa/oauth

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 4579
Vary: Accept-Encoding
Date: Fri, 23 Nov 2012 19:10:16 GMT

http://192.168.1.42:8080/dwa/oauth/j_acegi_security_check

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=58AA522938F621045424FBDBF1DD1866; Path=/dwa; HttpOnly
Location: http://192.168.1.42:8080/dwa/oauth
Content-Length: 0
Date: Fri, 23 Nov 2012 19:10:16 GMT

2.- Request the OAuth Token

http://192.168.1.42:8080/dwa/oauth-request-token?oauth_consumer_key=0987654321&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1353697838&oauth_nonce=526399064300345&oauth_version=1.0&oauth_signature=gM3%2FGkgspyzWAdOaBoPtmZAnsNE%3D

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Date: Fri, 23 Nov 2012 19:10:16 GMT


3.- Authorization

http://192.168.1.42:8080/dwa/oauth-authorize-token?oauth_token=ed357650-5871-4d4a-948a-648f8b2355fe&application_name=DWA&oauth_consumer_key=0987654321&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1353697838&oauth_nonce=526399246702730&oauth_version=1.0&oauth_signature=FjTNqwYmAcM%2BMMhPvQyn4m8fy7I%3D

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://192.168.1.42:8080/dwa/oauth?oauth_token=ed357650-5871-4d4a-948a-648f8b2355fe&oauth_verifier=RtOfDM
Content-Length: 0
Date: Fri, 23 Nov 2012 19:10:16 GMT

4.- Access Token

http://192.168.1.42:8080/dwa/oauth-access-token?oauth_token=ed357650-5871-4d4a-948a-648f8b2355fe&oauth_verifier=RtOfDM&oauth_consumer_key=0987654321&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1353697838&oauth_nonce=526399281811730&oauth_version=1.0&oauth_signature=CogE%2BXFqRW%2BwjPU4JoxNRp05sR8%3D

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/plain;charset=utf-8
Transfer-Encoding: chunked
Vary: Accept-Encoding
Date: Fri, 23 Nov 2012 19:10:16 GMT

5.- Access to the final service

http://127.0.0.1:80/dwa/rm/dxl/helloWorld?oauth_token_secret=DKWmQip2q4ZGTYIXmJHbg0KBFWR6krhOx4W6A3qQSy6YZ4LVxiex8wJB36rJQtqBd2PM5OUWFLPSvHRycNK1omaaH7VBSzfh5XdBspg%2Bsus%3D&oauth_token=e40cc406-a5bc-4358-ba3f-63891ee78cdd&oauth_consumer_key=0987654321&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1353697838&oauth_nonce=526399319412691&oauth_version=1.0&oauth_signature=IcFAVuttEKIiwR1kSfrdxO6Zo9Q%3D

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6671A97CB14F1D865078336BC581DB8B; Path=/dwa; HttpOnly
WWW-Authenticate: OAuth realm="DWA"
Content-Type: text/html;charset=utf-8
Content-Length: 1032
Date: Fri, 23 Nov 2012 19:10:16 GMT

And the error in the body is:
This request requires HTTP authentication (Invalid signature for signature method HMAC-SHA1).

Any idea or help?
Writing the post I have noticed in this last step, the server assigns a new JSESSIONID.... could it be the problem? Although the path is the same /dwa

Thanks in advance,

      Chemi.

permanent link
Jose Miguel Ordax Cassa (2.4k2126100) | answered Nov 23 '12, 6:00 p.m.
Hummm.... after writing the post I noticed that the las URL I used was different IP then the others (I was using a TCP/IP Monitor to understand what was traveling through the net). And perhaps that was the reason a new Cookie no authenticated was issued.

After I change the IP and port to the same one than the others, it seems I receive HTTP 200. Now I have to verify if the service invoked really is working or not. I will post again in case it worked fine....

Regards,

    Chemi.

permanent link
Jose Miguel Ordax Cassa (2.4k2126100) | answered Nov 24 '12, 6:55 a.m.
Right, once I added these two header to the final HTTP Request:

Accept: application/rdf+xml
Content-Type: application/rdf+xml
I get following answer:

<?xml version="1.0"?>
<rdf:RDF
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:doors="http://jazz.net/doors/xmlns/prod/jazz/doors/2.0/">
  <doors:DxlServiceResult rdf:about="http://192.168.1.42:8080/dwa/rm/dxl/helloWorld">
    <doors:help></doors:help>
  </doors:DxlServiceResult>
</rdf:RDF>
So this means I am successfully getting into the Doors/DWA Service using OAuth. Or I think that is the case.

Now, the issue is I need to send an XML file as body content in the request, and I have to use POST for that. But if I use POST, then I get HTTP 401 again. Here is the request:

http://192.168.1.42:8080/dwa/rm/dxl/helloWorld?oauth_token_secret=lb%2BV7u8yfMEJFN3nSeosObZ%2FlFMvh44pYNkee7U7M9Wz6ev84u5Cmww9KXopewUELT1fwnILrd4mupi7%2FfUurLr98Qd%2BYT9k8fcx7AGeegY%3D&oauth_token=bf87b673-745f-4b94-b7ff-b1da722977b8&oauth_consumer_key=0987654321&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1353757948&oauth_nonce=586672573081445&oauth_version=1.0&oauth_signature=GpOID%2FuiqRi4wLSkUESvcgJ75%2F4%3D

<?xml version="1.0" encoding="UTF-8"?>
<rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:doors="http://jazz.net/doors/xmlns/prod/jazz/doors/2.0/">  
   <doors:Arguments>
    <doors:arguments >English</doors:arguments>
   </doors:Arguments>
</rdf:RDF>

And here is the response:

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="DWA"
Content-Type: text/html;charset=utf-8
Content-Length: 1032
Date: Sat, 24 Nov 2012 11:52:23 GMT

HTTP Status 401 - Invalid signature for signature method HMAC-SHA1

So, question is... should I send anything else in the headers when using POST to get into OAuth protected services? Using GET instead of POST seems to work....

Thanks in advance,

    Chemi.

permanent link
Jose Miguel Ordax Cassa (2.4k2126100) | answered Nov 24 '12, 8:36 a.m.
Got it! It was an issue using OAuth Google classes...

BTW, only GET and PUT were accepted. Once POST worked fine I got an error because just GET and PUT were accepted. Once I used PUT I got the expected answer from the Doors/DWA service....

Now it is time to clean the code... :-)

Best regards,

      Chemi.

permanent link
Allen Irwin (1111) | answered Feb 19 '16, 5:48 p.m.

Hello Chemi, where did you get all this information?  I know this is ages ago but I'm hoping you remember.

I'm trying to get access to Doors NG api use OSLC services and I've run across this oAuth stumbling block.  I've got the oauth_token but I'm failing on authorizing with an error message of "invalid_expired_token.

I'm trying to do this all on soapUI so I can reproduce it later in middleware.

Your answer


Register or to post your answer.