Unable to set Authorization header of HttpsURLConnection

Question

I'm trying to set the OAuth Authorization header of a HttpsURLConnection object and below is the java code for that

    String url1 = "/data/ServiceAccount?schema=1.0&form=json&byBillingAccountId={EQUALS,xyz@pqr.edu}";
    String url = "https://secure.api.abc.net/data/ServiceAccount?schema=1.0&byBillingAccountId={EQUALS,xyz@pqr.edu}";


    String header = OAuthClient.prepareURLWithOAuthSignature(url1);

    HttpsURLConnection con = null;

    try {
        URL obj = new URL(url);
        con = (HttpsURLConnection) obj.openConnection();

        con.setRequestMethod("GET");
        con.setRequestProperty("Authorization", "OAuth " + header);
        System.out.println("Request properties = " + con.getRequestProperty("Authorization"));


        int responseCode = con.getResponseCode();

        System.out.println("Response Code = " + responseCode);

        BufferedReader in = new BufferedReader(
                new InputStreamReader(con.getInputStream()));
        String inputLine;
        StringBuffer response = new StringBuffer();

        while ((inputLine = in.readLine()) != null) {
            response.append(inputLine);
        }
        in.close();
        con.disconnect();
        //print result
        System.out.println("Response = " + response.toString());


    } catch (MalformedURLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    } finally {
        if(con!=null) con.disconnect();
    }

And below is the code for prepareURLWithOAuthSignature

public String prepareURLWithOAuthSignature(String url)
{

    String signature = null;

    setOAuthParameters();

    setOAuthQParams();

    try
    {
        httpURL = URLEncoder.encode(baseURL+url, "UTF-8");

        signature = OAuthSignatureService.getSignature(httpURL, URLEncoder.encode(URLEncodedUtils.format(qparams, "UTF-8"), "UTF-8"), consumer_secret);

        OAuthParameters.put("oauth_signature", signature);


    } catch (Exception e) {
        e.printStackTrace();
    }

    return getOAuthAuthorizationHeader();

}


public String getOAuthAuthorizationHeader()
{

    String OAuthHeader = "oauth_consumer_key=\"" + OAuthParameters.get("oauth_consumer_key") + "\"" + 
                        ",oauth_signature_method=\"" + OAuthParameters.get("oauth_signature_method") + "\"" +
                        ",oauth_timestamp=\"" + OAuthParameters.get("oauth_timestamp") + "\"" +
                        ",oauth_nonce=\"" + OAuthParameters.get("oauth_nonce") + "\"" +
                        ",oauth_version=\"" + OAuthParameters.get("oauth_version") + "\"" +
                        ",oauth_signature=\"" + OAuthParameters.get("oauth_signature") + "\"";

    byte[] authEncBytes = Base64.encodeBase64(OAuthHeader.getBytes());

    String authStringEnc = new String(authEncBytes);

    return authStringEnc;
}

The problem is that

1) while I'm printing the con.getRequestProperty("Authorization") I'm getting a null value which means the Authorization header is not set

2) The final response I'm getting from the server is 403

Any idea what's going wrong here?

Answer 1

I know this might not be an answer but looks like this issue was submitted as a bug to sun and here is the relevant part of the reply.

This behavior is intentional in order to prevent a security hole that getRequestProperty() opened. setRequestProperty("Authorization") should still work, you just won't be able to proof the results via getRequestProperty().

For the original forum post, please see: http://www.coderanch.com/t/205485/sockets/java/setRequestProperty-authorization-JDK

I would not be able to advice why you're getting a 403 but try adding the "Content-Type" request header to your connection and see if it makes any difference. Until I added that header in my code, I was getting a 404 back from the Spring Security module.