Class OA2ClaimsUtil
- java.lang.Object
-
- org.oa4mp.server.loader.oauth2.claims.OA2ClaimsUtil
-
- All Implemented Interfaces:
edu.uiuc.ncsa.security.util.scripting.ScriptingConstants
public class OA2ClaimsUtil extends Object implements edu.uiuc.ncsa.security.util.scripting.ScriptingConstants
Deprecated.Created by Jeff Gaynor
on 4/24/18 at 11:13 AMThis used to be the main claims processing engine until scripting was improved in version 4.4. If you are using it, there is probably something wrong. It is kept since there is some good code in it, mostly for reference if something ever breaks, I can refer to this to see if it had something better.
-
-
Field Summary
Fields Modifier and Type Field Description protected OA2ServiceTransaction
transaction
Deprecated.-
Fields inherited from interface edu.uiuc.ncsa.security.util.scripting.ScriptingConstants
ALL_PHASES, AUTH_PHASE, EXCHANGE_PHASE, POST_PREFIX, PRE_PREFIX, REFRESH_PHASE, SRE_EXEC_INIT, SRE_EXEC_PHASE, SRE_NO_EXEC_PHASE, SRE_PHASES, SRE_POST_ALL, SRE_POST_AT, SRE_POST_AUTH, SRE_POST_EXCHANGE, SRE_POST_REFRESH, SRE_POST_USER_INFO, SRE_PRE_ALL, SRE_PRE_AT, SRE_PRE_AUTH, SRE_PRE_EXCHANGE, SRE_PRE_REFRESH, SRE_PRE_USER_INFO, SRE_REQ_ACCESS_TOKEN, SRE_REQ_AUDIENCE, SRE_REQ_CLAIM_SOURCES, SRE_REQ_CLAIMS, SRE_REQ_EXTENDED_ATTRIBUTES, SRE_REQ_FLOW_STATES, SRE_REQ_PROXY_CLAIMS, SRE_REQ_REFRESH_TOKEN, SRE_REQ_RESOURCE, SRE_REQ_SCOPES, SRE_TX_REQ_AUDIENCE, SRE_TX_REQ_RESOURCES, SRE_TX_REQ_SCOPES, TOKEN_PHASE, USER_INFO_PHASE
-
-
Constructor Summary
Constructors Constructor Description OA2ClaimsUtil(OA2SE oa2se, OA2ServiceTransaction transaction)
Deprecated.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected void
checkRequiredClaim(net.sf.json.JSONObject claims, String claimKey)
Deprecated.protected void
checkRequiredClaims(net.sf.json.JSONObject claims)
Deprecated.For CIL-499.protected void
checkRequiredScopes(OA2ServiceTransaction t)
Deprecated.Use this to check for any requires scopes that the request must have.protected void
dbg(Object c, String x)
Deprecated.protected OA2Client
getOA2Client()
Deprecated.edu.uiuc.ncsa.security.util.scripting.ScriptRuntimeEngine
getScriptRuntimeEngine()
Deprecated.protected void
handleSREResponse(edu.uiuc.ncsa.security.util.scripting.ScriptRunResponse scriptRunResponse)
Deprecated.Process the script, but the claim sources are not updated because we are not interested in the claim sources, e.g.net.sf.json.JSONObject
initializeClaims(javax.servlet.http.HttpServletRequest request, net.sf.json.JSONObject claims)
Deprecated.This method puts the required information into a claims.protected boolean
isEmpty(String x)
Deprecated.protected edu.uiuc.ncsa.security.util.scripting.ScriptRunRequest
newSRR(OA2ServiceTransaction transaction, String phase)
Deprecated.creates newScriptRunRequest
with the basic information.net.sf.json.JSONObject
processAuthorizationClaims(javax.servlet.http.HttpServletRequest request)
Deprecated.Creates the most basic claim object for this.net.sf.json.JSONObject
processClaims()
Deprecated.Gets the claims that are not done at authorization time.net.sf.json.JSONObject
setAccountingInformation(javax.servlet.http.HttpServletRequest request, net.sf.json.JSONObject claims)
Deprecated.ONLY reset the accounting information (timestamps etc.)
-
-
-
Field Detail
-
transaction
protected OA2ServiceTransaction transaction
Deprecated.
-
-
Constructor Detail
-
OA2ClaimsUtil
public OA2ClaimsUtil(OA2SE oa2se, OA2ServiceTransaction transaction)
Deprecated.
-
-
Method Detail
-
getScriptRuntimeEngine
public edu.uiuc.ncsa.security.util.scripting.ScriptRuntimeEngine getScriptRuntimeEngine()
Deprecated.
-
setAccountingInformation
public net.sf.json.JSONObject setAccountingInformation(javax.servlet.http.HttpServletRequest request, net.sf.json.JSONObject claims)
Deprecated.ONLY reset the accounting information (timestamps etc.)- Parameters:
request
-claims
-- Returns:
-
initializeClaims
public net.sf.json.JSONObject initializeClaims(javax.servlet.http.HttpServletRequest request, net.sf.json.JSONObject claims)
Deprecated.This method puts the required information into a claims. Use this on claims again whenever a request for claims is made, so the timestamps etc. are current. Some clients use this information, for better for work, as accounting information on the access or refresh token and these clients will break if the timestamps are not updated (e.g. kubernetes).
Note that if you call this after processing, claim sources etc. you will overwrite anything you have done. Generally if you need to reset the timestamps, you should callsetAccountingInformation(HttpServletRequest, JSONObject)
instead.- Parameters:
claims
-- Returns:
- Throws:
Throwable
-
checkRequiredScopes
protected void checkRequiredScopes(OA2ServiceTransaction t) throws Throwable
Deprecated.Use this to check for any requires scopes that the request must have. It is usually best to check these in the transaction since they have been normalized there, but the request is supplied too for completeness.- Parameters:
t
-- Throws:
Throwable
-
newSRR
protected edu.uiuc.ncsa.security.util.scripting.ScriptRunRequest newSRR(OA2ServiceTransaction transaction, String phase)
Deprecated.creates newScriptRunRequest
with the basic information. This sends along the current claims, scopes flow states and claim sources then harvests them in toto from the response.- Returns:
-
handleSREResponse
protected void handleSREResponse(edu.uiuc.ncsa.security.util.scripting.ScriptRunResponse scriptRunResponse) throws IOException
Deprecated.Process the script, but the claim sources are not updated because we are not interested in the claim sources, e.g. if this is called after all claims sources have been processed and the script just massages the claims or flow states.- Parameters:
scriptRunResponse
-- Throws:
IOException
-
processAuthorizationClaims
public net.sf.json.JSONObject processAuthorizationClaims(javax.servlet.http.HttpServletRequest request) throws Throwable
Deprecated.Creates the most basic claim object for this. These are claims that are common (e.g., set the openid claim if this supports OIDC). This is the minimal set of claims for this service and is, e.g. all that is returned to public clients. This also run the sources that are to run at initialization. The assumption is that the initial sources can only be run exactly once during the first leg of the OAuth transaction. These contain mutable information about the user from, say, Shibboleth headers or other sources that will not be available later.- Parameters:
request
-- Returns:
- Throws:
Throwable
-
getOA2Client
protected OA2Client getOA2Client()
Deprecated.
-
processClaims
public net.sf.json.JSONObject processClaims() throws Throwable
Deprecated.Gets the claims that are not done at authorization time. Typically these are done right before the access token is created because there can be out of band calls that happen after the initial set of claims is gotten and before this one is called, e.g., if this is part of a larger system and a bunch of user information (not tracked by OA4MP) is updated before the grant is returned to the user. CILogon is an example of this.- Returns:
- Throws:
Throwable
-
checkRequiredClaim
protected void checkRequiredClaim(net.sf.json.JSONObject claims, String claimKey)
Deprecated.
-
checkRequiredClaims
protected void checkRequiredClaims(net.sf.json.JSONObject claims)
Deprecated.For CIL-499. It is possible to remove key claims with functors and return unusable claims objects. This method will check that claims that must be present are there or will raise a server-side exception. CIL-540 Do not return empty claims either.- Parameters:
claims
-
-
isEmpty
protected boolean isEmpty(String x)
Deprecated.
-
-