我有一个使用HMACSHA1签名/验证请求球衣的OAuth提供者。这适合我的发展和放大器;测试平台，其中客户端和放大器;服务器都是不同的物理系统。然而，当我移动到一个生产平台的HMACSHA1算法（供应商端）将返回不同的值比使用相同的PARAMS和放大器的HMACSHA1算法（客户端）;秘密，我的OAuth验证失败。

I have a jersey oauth provider that uses HmacSHA1 for signing/verifying requests. This works for my development & test platforms where client & server are both different physical systems. However, when I move to a production platform the HmacSHA1 algorithm (provider-side) returns a different value than the HmacSHA1 algorithm (client-side) using the same params & secret, and my oauth validation fails.

的JDK（1.6.x版）的提供者和客户端的所有平台上完全相同的版本。

The JDK (1.6.x) is the same exact version on both the provider and client for all platforms.

当我打开我的OAuth提供商的放大器;客户端使用明文签名法（坏的安全，我知道），它适用于所有平台。

When I switched my oauth provider & client to use the PLAINTEXT signature method (bad for security, I know), it works on all platforms.

当我挖成的球衣OAuthSignature.verify（）方法，它调用签名方法的（HMACSHA1或明文）验证的功能，它只是签署的OAuth元素的秘密，并比较对传入的签名值。

When I dug into the jersey OAuthSignature.verify() method, it calls the signature method's (HmacSHA1 or PLAINTEXT) verify function, which simply signs the oauth elements with the secret and compares the value against the signature passed in.

有关HMACSHA1，该方法调用Base64.en code（）方法来生成签名，但PLAINTEXT没有进行编码（如预期）。

For HmacSHA1, the method calls the Base64.encode() method to generate the signature, but for PLAINTEXT no encoding is done (as expected).

这可能是造成使用HMACSHA1签名算法有使用相同的PARAMS和放大器不同的结果Base64.en code（）方法;秘密在这两个系统？

What could be causing the Base64.encode() method using an HmacSHA1 signature algorithm to have different results using the same params & secret on both systems?

在此先感谢！ --TK

Thanks in advance! --TK

推荐答案

一个受过教育的猜测：如果平台编码不同（比较普遍;一些平台使用ISO-8859-1，其他UTF-8中，Windows也许CP-1250或任何，并在问题的OAuth库具有这样的byte []和String之间进行转换时未指定encoding新手的错误，并有字符连接code对不同的编码（通常是什么，但7位ASCII范围不同，字符0 - 127），你将最终获得不同的签名。

One educated guess: if platform encodings differ (quite common; some platforms use ISO-8859-1, others UTF-8, Windows maybe CP-1250 or whatever, AND OAuth library in question has newbie bugs where encoding is not specified when converting between byte[] and String, AND there are characters that encode differently on different encodings (usually anything but 7-bit ASCII range, characters 0 - 127), and you will end up with different signatures.

所以 - 你可以看到平台的默认编码是什么;并迫使它是相同的两个第一。如果这样可以解决这个问题，我会考虑报告这个bug来OAuth的LIB（或框架，捆绑它）作者（S），或至少要求在邮件列表。

So -- you can see what the platform default encoding is; and force it to be same on both first. If this solves the issue, I would consider reporting this as a bug to OAuth lib (or framework that bundles it) author(s), or at least ask on mailing lists.

我已经看到了这样的错误（String.getBytes（测试））非常频繁 - 这是最常见的Java反模式的存在之一。最糟糕的是，它是错误，不仅会导致在特定情况下的问题，所以人们都没有被咬严重不足以解决这些。

I have seen such bugs (String.getBytes("test")) VERY often -- it is one of most common Java anti-patterns in existence. Worst part is that it is bug that only causes issues under specific circumstances, so people are not bitten badly enough to fix these.

的另一个潜在问题是与URL编码 - 处理的某些字符（空格，％，+）可以实现之间有所不同，由于在编码/解码微妙的错误。所以，你可以看到，如果要传递的内容有特殊字符;尝试看看是否消除它们（用于测试），使差，和在什么触发的差为零。

Another potential issue is with URL encoding -- handling of certain characters (space, %, +) can differ between implementations, due to subtle bugs in encoding/decoding. So you can see if content that you are passing has 'special' characters; try to see if eliminating them (for testing) makes difference, and zero in what triggers the difference.