Updated Jun 21, 2009 by m.kaeppler
Labels:	Featured

GettingStarted

Setting up OAuth for your project in 5 minutes!

Getting Signpost

Get the latest Signpost build from the download page

checkout the source code, go to the folder where you downloaded it to, and run:

mvn package

This will download all dependencies and create a JAR in the target/ folder. Note that this step requires that you have the Apache Maven build system installed on your system.

If you use Apache Maven for project management yourself, you can simply declare Signpost as a dependency in your pom.xml:

    <repositories>
        <repository>
            <id>signpost-snapshots</id>
            <url>http://oss.sonatype.org/content/repositories/signpost-snapshots/</url>
            <releases>
              <enabled>false</enabled>
            </releases>
            <snapshots>
              <enabled>true</enabled>
            </snapshots>
        </repository>
    </repositories>
    ...
    <dependencies>
      <dependency>
        <groupId>oauth.signpost</groupId>
        <artifactId>signpost-core</artifactId>
        <version>1.1-SNAPSHOT</version>
        <scope>compile</scope>
      </dependency>
    </dependencies>

Signpost has seen no official release so far, and thus hasn't been synced to central, yet. The latest JARs are kindly hosted by Sonatype, so you need to add the repository definition for now. Depending on your requirements, you may need to add dependencies to other Signpost modules (e.g. signpost-jetty6).

Setting up Signpost

If you downloaded the JARs manually, you must also have the following libraries in your project's build path if you want to use Signpost:

Apache Commons Codec 1.3

If you built Signpost using Maven in the previous step, then you do not need to manually install dependencies, since Maven will do that for you.

By default, Signpost supports signing HTTP requests of type java.net.HttpURLConnection. If you only need that, then you're good to go and you can skip to the next section. If you want to use a different HTTP messaging system, you must download an adapter module that supports adapting request objects of that library for Signpost being able to sign them. The adapter module must be added to your project's build path.

For a list of available adapter modules, refer to SupportedHttpLibraries.

Using Signpost

All examples below assume that you have already obtained a consumer key and secret from the OAuth service provider you are communicating with.

Signing an HTTP message using OAuthConsumer

This section shows how to sign HTTP requests of type java.net.HttpURLConnection, which is the default. If you need to sign requests for other HTTP request types, please have a look at the examples in SupportedHttpLibraries.

If you have already obtained an access token from your service provider that allows you to access a protected resource, you can sign a request to that resource using Signpost as follows:

        // create a consumer object and configure it with the access
        // token and token secret obtained from the service provider
        OAuthConsumer consumer = new DefaultOAuthConsumer(CONSUMER_KEY,
                CONSUMER_SECRET, SignatureMethod.HMAC_SHA1);
        consumer.setTokenWithSecret(ACCESS_TOKEN, TOKEN_SECRET);

        // create an HTTP request to a protected resource
        URL url = new URL("http://example.com/protected");
        HttpURLConnection request = (HttpURLConnection) url.openConnection();

        // sign the request
        consumer.sign(request);

        // send the request
        request.connect();

NOTE: When using HttpURLConnection, you cannot sign POST requests that carry query parameters in the message payload (i.e. requests of type application/x-www-form-urlencoded). This is not a limitation of Signpost per se, but with the way URLConnection works. Server communication with URLConnection is based on data streams, which means that whenever you write something to the connection, it will be sent to the server immediately. This data is not buffered, and there is simply no way for Signpost to inspect that data and include it in a signature. Hence, when you have to sign requests which contain parameters in their body, you have to use an HTTP library like Apache Commons HttpComponents and the respective Signpost module. (This restriction does not apply to requests which send binary data such as documents or files, because that data won't become part of the signature anyway.)

Obtaining a request token using OAuthProvider

Obtaining a request token from the OAuth service provider is the first step in the 3-way handshake defined by OAuth. In a second step (which is beyond the scope of Signpost or any OAuth library) the user must then authorize this request token by granting your application access to protected resources on a special website defined by the OAuth service provider.

        // create a new service provider object and configure it with
        // the URLs which provide request tokens, access tokens, and
        // the URL to which users are sent in order to grant permission
        // to your application to access protected resources
        OAuthProvider provider = new DefaultOAuthProvider(consumer,
                REQUEST_TOKEN_ENDPOINT_URL, ACCESS_TOKEN_ENDPOINT_URL,
                AUTHORIZE_WEBSITE_URL);

        // fetches a request token from the service provider and builds
        // a url based on AUTHORIZE_WEBSITE_URL and CALLBACK_URL to
        // which your app must now send the user
        String url = provider.retrieveRequestToken(CALLBACK_URL);

If your application cannot receive callbacks (e.g. because it's a desktop app), then you must replace CALLBACK_URL with one of these values:

If the service provider you're communicating with implements version 1.0a of the protocol, then you must pass "oob" or OAuth.OUT_OF_BAND to indicate that you cannot receive callbacks.
If the service provider is still using the older 1.0 protocol, then you must pass null to indicate that you cannot receive callbacks.

Obtaining an access token using OAuthProvider

The third and last step in the "OAuth dance" is to exchange the blessed request token for an access token, which the client can then use to access protected resources on behalf of the user. Again, this is very simple to do with Signpost:

        provider.retrieveAccessToken(verificationCode);

The verificationCode is only meaningful for service providers implementing OAuth 1.0a. Depending on whether you provided a callback URL or out-of-band before, this value is either being passed to your application during callback as the oauth_verifier request parameter, or you must obtain this value manually from the user of your application.

On success, the OAuthConsumer connected to this OAuthProvider has now a valid access token and token secret set, and can start signing messages!

Comment by arun.shivaraman, May 26, 2009

Do you have Maven Repository information for this package?

Comment by m.kaeppler, Jun 14, 2009

I am currently looking for someone to host the project in a public maven repository. I will update the site with the information you are looking for as soon as that happens.

Comment by m.kaeppler, Jun 16, 2009

Developers using Maven: Signpost JARs are now hosted on Sonatype's Nexus repository servers (see wiki page for details).

Comment by kelly343, Jul 06, 2009

I returned from the weekend and my java 5 development environment barfed the message:

/Users/kelly/Sites/cobalt/src/main/java/com/sonicswap/cobalt/manager/OAuthYahooManagerImpl.java:6,-1? cannot access oauth.signpost.signature.SignatureMethod? bad class file: /Users/kelly/.m2/repository/oauth/signpost/signpost-core/1.1-SNAPSHOT/signpost-core-1.1-SNAPSHOT.jar(oauth/signpost/signature/SignatureMethod?.class) class file has wrong version 50.0, should be 49.0

I develop on both java 5 and 6 so I switched over to complete today's development. But the production servers run only java 5.

Before I disturb the production servers, I wanted to ask if signpost now requires java 6?

Comment by kelly343, Jul 06, 2009

Update: I configured maven to use an older snapshot (which I downloaded manually) Crisis averted. I can use this until the java 5/6 question is answered.

<dependency>
  <groupId>oauth.signpost</groupId>
  <artifactId>signpost-core</artifactId>
  <version>1.1-SNAPSHOT</version>
  <scope>system</scope>
  <systemPath>${CATALINA_HOME}/common/lib/signpost-core-1.1-20090627.151843-4.jar</systemPath>
</dependency>

Comment by m.kaeppler, Jul 07, 2009

That's really weird, because if you check the POM, you'll see that the compiler is set to output 1.5 class files. I'll check if I can reproduce that.

Comment by kelly343, Jul 07, 2009

I don't know why I have a problem. Maybe it's a Mac thing. BTW, I had a classpath problem with my early workaround using <systemPath> so I ended up adding the jar to my private repo. First, in bash install the snapshot version:

curl \
  --request GET \
  --remote-name \
  --url "${SIGNPOST_REPO_URL}/signpost-core-1.1-20090627.151843-4.jar"

mv signpost-core-1.1-20090627.151843-4.jar signpost-core-1.1-SNAPSHOT.jar

mvn deploy:deploy-file                   \
  -DgroupId=oauth.signpost               \
  -DartifactId=signpost-core             \
  -Dversion=1.1-SNAPSHOT                 \
  -Dpackaging=jar                        \
  -Dfile=signpost-core-1.1-SNAPSHOT.jar  \
  -DrepositoryId=ssh-repo                \
  -Durl=scp://${PRIVATE_MAVEN_REPO_URL}

Then, in pom.xml add the dependency:

<dependency>
  <groupId>oauth.signpost</groupId>
  <artifactId>signpost-core</artifactId>
  <version>1.1-SNAPSHOT</version>
</dependency>

I finished my milestone, thanks to signpost! I'll let you know if I find the source of my java version problem.

Comment by bruno.fonseca, Sep 28, 2009

in "If you have already obtained an access token from your service provider that allows you to access a protected resource, you can sign a request to that resource using Signpost as follows:" .. how define ACCESS_TOKEN and TOKEN_SECRET?? Thanks