堆栈内存溢出
  简体   繁体   English

Restlet框架中的AwsVerifier中可能存在的错误

[英]Possible bug in AwsVerifier in Restlet Framework

 原文  2013-08-19 15:33:02       java/ rest/ restlet/ restlet-2.0

问题描述

While trying to get Amazon S3 authentication working for my RESTful web service, my testing flushed out a possible bug in the Verifier for S3 auth. 在尝试使Amazon S3身份验证适用于我的RESTful Web服务时,我的测试清除了Verifier for S3身份验证中的可能错误。 If you specify an access key that does not exist in the server secrets, the AwsVerifier throws a NullPointerException which results in an HTTP 500 Internal Server Error. 如果您指定服务器机密中不存在的访问密钥,则AwsVerifier会引发NullPointerException,这将导致HTTP 500 Internal Server Error。 The problem begins on line 233 of AwsVerifier.java: 该问题开始于AwsVerifier.java的第233行: 

char[] userSecret = getLocalSecret(userId);

If the userId does not exist in the local secrets (ie an access key that does not exist in the server secrets map) then there is no associated secret, so userSecret becomes null. 如果本地机密中不存在userId(即服务器机密映射中不存在访问密钥),则没有关联的机密,因此userSecret变为null。 When AwsVerifier calls getS3Signature() on line 235: 当AwsVerifier在第235行调用getS3Signature()时: 

String sigToCompare = AwsUtils.getS3Signature(request, userSecret);

you get the NullPointerException. 您会收到NullPointerException。 This seems like a bug to me...anyone agree/disagree? 对我来说,这似乎是个错误……任何人都同意/不同意?

1 个解决方案

解决方案1
 0 已采纳  2013-08-19 15:33:02

I believe this is a bug. 我相信这是一个错误。 However, I found a way to work around it: just subclass AwsVerifier and override the verify() method. 但是,我找到了一种解决方法:仅将AwsVerifier子类化,并覆盖verify()方法。 Make sure and copy the code from the superclass verify() into the subclass, but change it as follows: 确保将代码从超类verify()复制到子类中,但是按如下所示进行更改: 

public class NewAwsVerifier extends AwsVerifier {
    public NewAwsVerifier(LocalVerifier wrappedVerifier) {
        super(wrappedVerifier);
    }
    ...
    @Override
    public int verify(Request request, Response response) {
    ...
        char[] userSecret = getLocalSecret(userId);
        if (userSecret == null) {
            // If there is no userSecret for the given userId then the
            // request probably specified a user that doesn't exist
            // and using that userID in the getS3Signature call
            // will result in a NullPointerException, so we intercept it here
            return RESULT_INVALID;
        }
        char[] signature = getSecret(request, response);
        String sigToCompare = AwsUtils.getS3Signature(request, userSecret);
    ...
    }
}

Then make sure you use this new Verifier: 然后确保您使用此新的验证程序: 

MapVerifier verifier = new MapVerifier();
NewAwsVerifier newVerifier = new NewAwsVerifier(verifier);

// Get passwords from a more secure source (only here for illustration)!
verifier.getLocalSecrets().put("accessKey", "secretKey".toCharArray());
auth.setVerifier(newVerifier);

Now if you specify an access key that doesn't exist in the server secrets, you will be denied access gracefully instead of receiving a HTTP 500 Internal Server Error. 现在,如果您指定了服务器机密中不存在的访问密钥,则将被拒绝正常访问,而不是收到HTTP 500 Internal Server Error。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Restlet Java框架进行POST - POST with Restlet framework for Java 在Restlet框架中通过POST获取值 - Get values by POST in Restlet framework Restlet框架和Spring-全局过滤器 - Restlet Framework and Spring - Global filter Restlet框架中基于表单的身份验证 - Form Based Authentication in Restlet framework 使用外部服务器Restlet框架 - Using external server restlet framework Restlet Java框架中的HTTPS请求 - HTTPS requests in Restlet Java framework 是否可以在PHP中为Restlet创建客户端? - Is it possible to create a client in PHP for Restlet? 在RESTlet框架中获取错误HTTP错误404 - Getting error HTTP ERROR 404 in RESTlet framework 使用Restlet框架调用特定方法 - Call a specific method using Restlet framework Restlet框架-编辑agent.properties文件 - Restlet framework - Edit agent.properties file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM