Class OA2ClaimsUtil

  • All Implemented Interfaces:
    edu.uiuc.ncsa.security.util.scripting.ScriptingConstants

    public class OA2ClaimsUtil
    extends Object
    implements edu.uiuc.ncsa.security.util.scripting.ScriptingConstants
    Deprecated.

    Created by Jeff Gaynor
    on 4/24/18 at 11:13 AM

    This used to be the main claims processing engine until scripting was improved in version 4.4. If you are using it, there is probably something wrong. It is kept since there is some good code in it, mostly for reference if something ever breaks, I can refer to this to see if it had something better.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected OA2ServiceTransaction transaction
      Deprecated.
       
      • Fields inherited from interface edu.uiuc.ncsa.security.util.scripting.ScriptingConstants

        ALL_PHASES, AUTH_PHASE, EXCHANGE_PHASE, POST_PREFIX, PRE_PREFIX, REFRESH_PHASE, SRE_EXEC_INIT, SRE_EXEC_PHASE, SRE_NO_EXEC_PHASE, SRE_PHASES, SRE_POST_ALL, SRE_POST_AT, SRE_POST_AUTH, SRE_POST_EXCHANGE, SRE_POST_REFRESH, SRE_POST_USER_INFO, SRE_PRE_ALL, SRE_PRE_AT, SRE_PRE_AUTH, SRE_PRE_EXCHANGE, SRE_PRE_REFRESH, SRE_PRE_USER_INFO, SRE_REQ_ACCESS_TOKEN, SRE_REQ_AUDIENCE, SRE_REQ_CLAIM_SOURCES, SRE_REQ_CLAIMS, SRE_REQ_EXTENDED_ATTRIBUTES, SRE_REQ_FLOW_STATES, SRE_REQ_PROXY_CLAIMS, SRE_REQ_REFRESH_TOKEN, SRE_REQ_RESOURCE, SRE_REQ_SCOPES, SRE_TX_REQ_AUDIENCE, SRE_TX_REQ_RESOURCES, SRE_TX_REQ_SCOPES, TOKEN_PHASE, USER_INFO_PHASE
    • Method Detail

      • getScriptRuntimeEngine

        public edu.uiuc.ncsa.security.util.scripting.ScriptRuntimeEngine getScriptRuntimeEngine()
        Deprecated.
      • setAccountingInformation

        public net.sf.json.JSONObject setAccountingInformation​(javax.servlet.http.HttpServletRequest request,
                                                               net.sf.json.JSONObject claims)
        Deprecated.
        ONLY reset the accounting information (timestamps etc.)
        Parameters:
        request -
        claims -
        Returns:
      • initializeClaims

        public net.sf.json.JSONObject initializeClaims​(javax.servlet.http.HttpServletRequest request,
                                                       net.sf.json.JSONObject claims)
        Deprecated.
        This method puts the required information into a claims. Use this on claims again whenever a request for claims is made, so the timestamps etc. are current. Some clients use this information, for better for work, as accounting information on the access or refresh token and these clients will break if the timestamps are not updated (e.g. kubernetes).

        Note that if you call this after processing, claim sources etc. you will overwrite anything you have done. Generally if you need to reset the timestamps, you should call setAccountingInformation(HttpServletRequest, JSONObject) instead.

        Parameters:
        claims -
        Returns:
        Throws:
        Throwable
      • checkRequiredScopes

        protected void checkRequiredScopes​(OA2ServiceTransaction t)
                                    throws Throwable
        Deprecated.
        Use this to check for any requires scopes that the request must have. It is usually best to check these in the transaction since they have been normalized there, but the request is supplied too for completeness.
        Parameters:
        t -
        Throws:
        Throwable
      • newSRR

        protected edu.uiuc.ncsa.security.util.scripting.ScriptRunRequest newSRR​(OA2ServiceTransaction transaction,
                                                                                String phase)
        Deprecated.
        creates new ScriptRunRequest with the basic information. This sends along the current claims, scopes flow states and claim sources then harvests them in toto from the response.
        Returns:
      • handleSREResponse

        protected void handleSREResponse​(edu.uiuc.ncsa.security.util.scripting.ScriptRunResponse scriptRunResponse)
                                  throws IOException
        Deprecated.
        Process the script, but the claim sources are not updated because we are not interested in the claim sources, e.g. if this is called after all claims sources have been processed and the script just massages the claims or flow states.
        Parameters:
        scriptRunResponse -
        Throws:
        IOException
      • processAuthorizationClaims

        public net.sf.json.JSONObject processAuthorizationClaims​(javax.servlet.http.HttpServletRequest request)
                                                          throws Throwable
        Deprecated.
        Creates the most basic claim object for this. These are claims that are common (e.g., set the openid claim if this supports OIDC). This is the minimal set of claims for this service and is, e.g. all that is returned to public clients. This also run the sources that are to run at initialization. The assumption is that the initial sources can only be run exactly once during the first leg of the OAuth transaction. These contain mutable information about the user from, say, Shibboleth headers or other sources that will not be available later.
        Parameters:
        request -
        Returns:
        Throws:
        Throwable
      • getOA2Client

        protected OA2Client getOA2Client()
        Deprecated.
      • processClaims

        public net.sf.json.JSONObject processClaims()
                                             throws Throwable
        Deprecated.
        Gets the claims that are not done at authorization time. Typically these are done right before the access token is created because there can be out of band calls that happen after the initial set of claims is gotten and before this one is called, e.g., if this is part of a larger system and a bunch of user information (not tracked by OA4MP) is updated before the grant is returned to the user. CILogon is an example of this.
        Returns:
        Throws:
        Throwable
      • checkRequiredClaim

        protected void checkRequiredClaim​(net.sf.json.JSONObject claims,
                                          String claimKey)
        Deprecated.
      • checkRequiredClaims

        protected void checkRequiredClaims​(net.sf.json.JSONObject claims)
        Deprecated.
        For CIL-499. It is possible to remove key claims with functors and return unusable claims objects. This method will check that claims that must be present are there or will raise a server-side exception. CIL-540 Do not return empty claims either.
        Parameters:
        claims -
      • isEmpty

        protected boolean isEmpty​(String x)
        Deprecated.
      • dbg

        protected void dbg​(Object c,
                           String x)
        Deprecated.