Class OIDCCMServlet

  • All Implemented Interfaces:
    edu.uiuc.ncsa.security.core.Logable, Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

    public class OIDCCMServlet
    extends EnvServlet
    Note that in all of these calls, the assumption is that an admin client has been requested and approved out of band. The identifier and secret of that are used to make the bearer token that allows access to the calls in this API. This implements both RFC 7591 and part of RFC 7592. Mostly we do not allow the setting of client secrets via tha API and since we do not store them (only a hash of them) we cannot return them. If a secret is lost, the only option is to register a new client.

    Nota Bene: RFC 7592 is not intended to become a specification since there is too much variance in how this can operate.

    Created by Jeff Gaynor
    on 11/28/18 at 10:04 AM

    See Also:
    Serialized Form
    • Constructor Summary

      Constructors 
      Constructor Description
      OIDCCMServlet()  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean areAllGrantsSupported​(net.sf.json.JSONArray proposedGrants, String[] supportedGrants)  
      protected void checkAdminPermission​(AdminClient adminClient, OA2Client client)
      Checks that this client exists on the system and that if it exists, the admin client actually owns it.
      protected boolean checkJAEntry​(net.sf.json.JSONArray jsonArray, String entry)
      JSONArray does not check its contains sanely against strings at times.
      protected HashMap<String,​String> defaultReplacements​(javax.servlet.http.HttpServletRequest req, AdminClient adminClient, OA2Client client)  
      protected void doDelete​(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
      Remove the given client in toto.
      void doGet​(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
      Return information about the client.
      protected void doIt​(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)  
      void doPost​(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)  
      protected void doPut​(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
      Update a client.
      protected void fireMessage​(boolean isAnonymous, OA2SE oa2SE, HashMap<String,​String> replacements)  
      protected String formatIdentifiable​(edu.uiuc.ncsa.security.core.Store store, edu.uiuc.ncsa.security.core.Identifiable identifiable)  
      protected AdminClient getAndCheckAdminClient​(javax.servlet.http.HttpServletRequest request)
      Pulls the id and secret from the header then verifies the secret and if it passes, returns the client.
      protected OA2Client getAndCheckOA2Client​(javax.servlet.http.HttpServletRequest request)  
      protected OA2Client getClient​(javax.servlet.http.HttpServletRequest req)
      Get the client from the request.
      protected OA2SE getOA2SE()  
      protected net.sf.json.JSON getPayload​(javax.servlet.http.HttpServletRequest httpServletRequest, edu.uiuc.ncsa.security.core.util.MetaDebugUtil adminDebugger)  
      PermissionServer getPermissionServer()
      We want to be able to manage the permissions associated with a standard client and an admin client.
      protected void handleGrants​(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)  
      protected void handleResponseTypes​(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)
      TL;DR: we support the grant types for the authorization_code flow so only code and id_token.
      protected OA2Client processRegistrationRequest​(net.sf.json.JSONObject jsonRequest, AdminClient adminClient, boolean isAnonymous, javax.servlet.http.HttpServletResponse httpResponse, OA2Client client)  
      void storeUpdates()
      This will be invoked at init before anything else and should include code to seamlessly upgrade stores from earlier versions.
      protected net.sf.json.JSONArray toJA​(net.sf.json.JSONObject obj, String key)
      Some attribute scan come over the wire as either arrays of string or as blank delimited strings, e.g.
      protected net.sf.json.JSONObject toJSONObject​(OA2Client client)
      Take a client and turn it in to a response object.
      protected OA2Client updateClient​(OA2Client client, AdminClient adminClient, boolean isAnonymous, net.sf.json.JSONObject jsonRequest, boolean newClient, javax.servlet.http.HttpServletResponse httpResponse)  
      • Methods inherited from class edu.uiuc.ncsa.security.servlet.AbstractServlet

        checkContentType, CONST, debug, doPing, error, error, getConfigurationLoader, getEnvironment, getExceptionHandler, getFirstParameterValue, getInitialization, getMyLogger, handleException, info, init, isDebugOn, printAllParameters, printAllParameters, resetState, setConfigurationLoader, setDebugOn, setEnvironment, setExceptionHandler, setInitialization, warn
      • Methods inherited from class javax.servlet.http.HttpServlet

        doHead, doOptions, doTrace, getLastModified, service, service
      • Methods inherited from class javax.servlet.GenericServlet

        destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log
    • Constructor Detail

      • OIDCCMServlet

        public OIDCCMServlet()
    • Method Detail

      • storeUpdates

        public void storeUpdates()
                          throws IOException,
                                 SQLException
        Description copied from class: EnvServlet
        This will be invoked at init before anything else and should include code to seamlessly upgrade stores from earlier versions. For instance, if a new column needs to be added to a table. This pre-supposes that the current user has the correct permissions to alter the table, btw. This also updates the internal flag EnvServlet.storeUpdatesDone which should be checks in overrides. If you override this method and call super, let super manage this flag. If it is true, do not execute your method.
        Specified by:
        storeUpdates in class EnvServlet
        Throws:
        IOException
        SQLException
      • getOA2SE

        protected OA2SE getOA2SE()
      • doGet

        public void doGet​(javax.servlet.http.HttpServletRequest httpServletRequest,
                          javax.servlet.http.HttpServletResponse httpServletResponse)
                   throws javax.servlet.ServletException,
                          IOException
        Return information about the client. Note that we do not return the client secret in this call, since among other reasons, we do not have it.
        Overrides:
        doGet in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Parameters:
        httpServletRequest -
        httpServletResponse -
        Throws:
        javax.servlet.ServletException
        IOException
      • formatIdentifiable

        protected String formatIdentifiable​(edu.uiuc.ncsa.security.core.Store store,
                                            edu.uiuc.ncsa.security.core.Identifiable identifiable)
      • toJSONObject

        protected net.sf.json.JSONObject toJSONObject​(OA2Client client)
        Take a client and turn it in to a response object. This is used by both GET do PUT (which is supposed to return the same output as GET when done with its updates)
        Parameters:
        client -
        Returns:
      • doDelete

        protected void doDelete​(javax.servlet.http.HttpServletRequest req,
                                javax.servlet.http.HttpServletResponse resp)
                         throws javax.servlet.ServletException,
                                IOException
        Remove the given client in toto.
        Overrides:
        doDelete in class javax.servlet.http.HttpServlet
        Parameters:
        req -
        resp -
        Throws:
        javax.servlet.ServletException
        IOException
      • checkAdminPermission

        protected void checkAdminPermission​(AdminClient adminClient,
                                            OA2Client client)
        Checks that this client exists on the system and that if it exists, the admin client actually owns it.
        Parameters:
        adminClient -
        client -
      • doPut

        protected void doPut​(javax.servlet.http.HttpServletRequest req,
                             javax.servlet.http.HttpServletResponse resp)
                      throws javax.servlet.ServletException,
                             IOException
        Update a client. Note that as per the specification, all values that are sent over-write existing values and omitted values are taken to mean the stored value is unset.
        Overrides:
        doPut in class javax.servlet.http.HttpServlet
        Parameters:
        req -
        resp -
        Throws:
        javax.servlet.ServletException
        IOException
      • doPost

        public void doPost​(javax.servlet.http.HttpServletRequest httpServletRequest,
                           javax.servlet.http.HttpServletResponse httpServletResponse)
                    throws javax.servlet.ServletException,
                           IOException
        Overrides:
        doPost in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Throws:
        javax.servlet.ServletException
        IOException
      • getPermissionServer

        public PermissionServer getPermissionServer()
        We want to be able to manage the permissions associated with a standard client and an admin client.
        Returns:
      • getAndCheckAdminClient

        protected AdminClient getAndCheckAdminClient​(javax.servlet.http.HttpServletRequest request)
                                              throws Throwable
        Pulls the id and secret from the header then verifies the secret and if it passes, returns the client.
        Parameters:
        request -
        Returns:
        Throws:
        Throwable
      • getAndCheckOA2Client

        protected OA2Client getAndCheckOA2Client​(javax.servlet.http.HttpServletRequest request)
                                          throws Throwable
        Throws:
        Throwable
      • doIt

        protected void doIt​(javax.servlet.http.HttpServletRequest httpServletRequest,
                            javax.servlet.http.HttpServletResponse httpServletResponse)
                     throws Throwable
        Specified by:
        doIt in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Throws:
        Throwable
      • getPayload

        protected net.sf.json.JSON getPayload​(javax.servlet.http.HttpServletRequest httpServletRequest,
                                              edu.uiuc.ncsa.security.core.util.MetaDebugUtil adminDebugger)
                                       throws IOException
        Throws:
        IOException
      • getClient

        protected OA2Client getClient​(javax.servlet.http.HttpServletRequest req)
        Get the client from the request. Note that this may return null if no such client exists and it is up to the calling method to decide if this is ok.
        Parameters:
        req -
        Returns:
      • updateClient

        protected OA2Client updateClient​(OA2Client client,
                                         AdminClient adminClient,
                                         boolean isAnonymous,
                                         net.sf.json.JSONObject jsonRequest,
                                         boolean newClient,
                                         javax.servlet.http.HttpServletResponse httpResponse)
      • handleResponseTypes

        protected void handleResponseTypes​(OA2Client client,
                                           net.sf.json.JSONObject jsonRequest,
                                           OA2ClientKeys keys)
        TL;DR: we support the grant types for the authorization_code flow so only code and id_token. We explicitly reject every other response_type at this point, in particular, we reject the value of "token" which is only for the implicit flow.
        Parameters:
        client -
        jsonRequest -
        keys -
      • checkJAEntry

        protected boolean checkJAEntry​(net.sf.json.JSONArray jsonArray,
                                       String entry)
        JSONArray does not check its contains sanely against strings at times.
        Parameters:
        jsonArray -
        entry -
        Returns:
      • areAllGrantsSupported

        protected boolean areAllGrantsSupported​(net.sf.json.JSONArray proposedGrants,
                                                String[] supportedGrants)
      • handleGrants

        protected void handleGrants​(OA2Client client,
                                    net.sf.json.JSONObject jsonRequest,
                                    OA2ClientKeys keys)
      • toJA

        protected net.sf.json.JSONArray toJA​(net.sf.json.JSONObject obj,
                                             String key)
        Some attribute scan come over the wire as either arrays of string or as blank delimited strings, e.g. scopes and grant types. Just figure it out and hand back the array. Note this will remove duplicates.
        Parameters:
        obj -
        key -
        Returns:
      • processRegistrationRequest

        protected OA2Client processRegistrationRequest​(net.sf.json.JSONObject jsonRequest,
                                                       AdminClient adminClient,
                                                       boolean isAnonymous,
                                                       javax.servlet.http.HttpServletResponse httpResponse,
                                                       OA2Client client)
      • fireMessage

        protected void fireMessage​(boolean isAnonymous,
                                   OA2SE oa2SE,
                                   HashMap<String,​String> replacements)