// the requestToken
private void createAccessToken(HttpServletRequest servletRequest,
HttpServletResponse servletResponse) throws ServletException, IOException, OAuthException, URISyntaxException {
OAuthMessage requestMessage = OAuthServlet.getMessage(servletRequest, null);
OAuthEntry entry = getValidatedEntry(requestMessage);
if (entry == null)
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
if (entry.callbackToken != null) {
// We're using the fixed protocol
String clientCallbackToken = requestMessage.getParameter(OAuthConstants.OAUTH_VERIFIER);
if (!entry.callbackToken.equals(clientCallbackToken)) {
dataStore.disableToken(entry);
servletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "This token is not authorized");
return;
}
} else if (!entry.authorized) {
// Old protocol. Catch consumers trying to convert a token to one that's not authorized
dataStore.disableToken(entry);
servletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "This token is not authorized");
return;
}
// turn request token into access token
OAuthEntry accessEntry = dataStore.convertToAccessToken(entry);
sendResponse(servletResponse, OAuth.newList(
OAuth.OAUTH_TOKEN, accessEntry.token,
OAuth.OAUTH_TOKEN_SECRET, accessEntry.tokenSecret,
"user_id", entry.userId));