Validating signed request: signature_invalid

Question

I'm trying to validate an OpenSocial 0.7 signed request, using the sample Java code on that page. I think it should work this way, but I still get a signature_invalid error.

Main validation code:

 // NOTE: req = HttpServletRequest

 // check for hyves
 if (!"hyves.nl".equals(req.getParameter("oauth_consumer_key"))) {
  throw new RuntimeException("Only hyves supported");
 }

 // update hyves' certificate
 getHyvesCert(req.getParameter("xoauth_signature_publickey"));

 // construct message object
 OAuthMessage oaMessage = new OAuthMessage(req.getMethod(), getRequestUrl(req), getParameters(req));

 // validate message
 // (will throw exception if invalid)
 new SimpleOAuthValidator().validateMessage(oaMessage, new OAuthAccessor(OAUTH_CONSUMER_HYVES));

OAUTH_CONSUMER_HYVES:

 private static final OAuthServiceProvider OAUTH_THIS = new OAuthServiceProvider(null, null, null);
 private static final OAuthConsumer OAUTH_CONSUMER_HYVES = new OAuthConsumer(null, "hyves.nl", null, OAUTH_THIS);

getHyvesCert:

 public void getHyvesCert(String name) {

  synchronized(certLoadLock) {

  // in reality this is code that downloads the certificate
  // with the specified name, but this is the result
  hyvesCert = "---BEGIN CERTIFICATE---- etc...";

  OAUTH_CONSUMER_HYVES.setProperty(RSA_SHA1.X509_CERTIFICATE, hyvesCert);

  }   

 }

The methods getRequestUrl and getParameters are directly copied from here.

Answer 1

I found the problem. getRequestUrl() returned the wrong URL because Tomcat is behind an nginx proxy. So while the sender would use the URL "http://example.com/bla" to sign the request, the server was using "http://example.com:8080/bla" to validate it.