// the requestToken
private void createAccessToken(HttpServletRequest servletRequest,
HttpServletResponse servletResponse) throws ServletException, IOException, OAuthException, URISyntaxException {
OAuthMessage requestMessage = OAuthServlet.getMessage(servletRequest, null);
OAuthEntry entry = getValidatedEntry(requestMessage);
if (entry == null)
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
if (entry.getCallbackToken() != null) {
// We're using the fixed protocol
String clientCallbackToken = requestMessage.getParameter(OAuth.OAUTH_VERIFIER);
if (!entry.getCallbackToken().equals(clientCallbackToken)) {
dataStore.disableToken(entry);
servletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "This token is not authorized");
return;
}
} else if (!entry.isAuthorized()) {
// Old protocol. Catch consumers trying to convert a token to one that's not authorized
dataStore.disableToken(entry);
servletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "This token is not authorized");
return;
}
// turn request token into access token
OAuthEntry accessEntry = dataStore.convertToAccessToken(entry);
sendResponse(servletResponse, OAuth.newList(
OAuth.OAUTH_TOKEN, accessEntry.getToken(),
OAuth.OAUTH_TOKEN_SECRET, accessEntry.getTokenSecret(),
"user_id", entry.getUserId()));
}