Description
The UrlParameterAuthenticationHandler contains the following lines:
// OAuth token as a param
if (token == null && request.isSecure())
We are using an AuthenticationHandler that manages the shindig specific authentication token and another one that manages oauth. If no shindig token (st=...) parameter is present, the shindig specific AuthenticationHandler should not be used. That works fine, as long as the request goes through http.
Now, with an oauth request using https, this AuthenticationHandler suddenly kicks in and tries to decode the oauth token (which has nothing to do with our secure token) as a secure token and the AuthenticationHandler then reports an invalid or tampered filter.
This might be a case of "the oauth filter should run before the shindig specific filter", but I think that these three lines should not be in the UrlParameterAuthenticationHandler, because they try to mix up two seperate things.