accessToken = dataProvider.getAccessToken(oAuthMessage.getToken());
//check if access token is not null
if (accessToken == null) {
LOG.warning("Access token is unavailable");
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
client = accessToken.getClient();
} else {
// TODO: the secret may not be included and only used to create a signature
// so the header will effectively be similar to the one used during
// RequestToken requests; we'd need to handle this case too
String consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
String consumerSecret = oAuthMessage.getParameter("oauth_consumer_secret");
client = dataProvider.getClient(consumerKey);
if (client == null || consumerSecret == null || !consumerSecret.equals(client.getSecretKey())) {
LOG.warning("Client is invalid");
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
}
}
OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider);
//check valid URI
checkRequestURI(req, OAuthUtils.getAllUris(client, accessToken));
List<OAuthPermission> permissions = dataProvider.getPermissionsInfo(
OAuthUtils.getAllScopes(client, accessToken));
for (OAuthPermission perm : permissions) {
checkRequestURI(req, perm.getUris());
if (!perm.getHttpVerbs().isEmpty()
&& !perm.getHttpVerbs().contains(req.getMethod())) {
String message = "Invalid http verb";
LOG.warning(message);
throw new OAuthProblemException(message);
}
checkNoAccessTokenIsAllowed(client, accessToken, perm);
}
return new OAuthInfo(client, accessToken, permissions, useUserSubject);