Class OIDCCMServlet
- java.lang.Object
-
- javax.servlet.GenericServlet
-
- javax.servlet.http.HttpServlet
-
- edu.uiuc.ncsa.security.servlet.AbstractServlet
-
- org.oa4mp.server.api.servlet.storage.EnvServlet
-
- org.oa4mp.server.loader.oauth2.cm.oidc_cm.OIDCCMServlet
-
- All Implemented Interfaces:
edu.uiuc.ncsa.security.core.Logable
,Serializable
,javax.servlet.Servlet
,javax.servlet.ServletConfig
public class OIDCCMServlet extends EnvServlet
Note that in all of these calls, the assumption is that an admin client has been requested and approved out of band. The identifier and secret of that are used to make the bearer token that allows access to the calls in this API. This implements both RFC 7591 and part of RFC 7592. Mostly we do not allow the setting of client secrets via tha API and since we do not store them (only a hash of them) we cannot return them. If a secret is lost, the only option is to register a new client.
Nota Bene: RFC 7592 is not intended to become a specification since there is too much variance in how this can operate.Created by Jeff Gaynor
on 11/28/18 at 10:04 AM- See Also:
- Serialized Form
-
-
Field Summary
Fields Modifier and Type Field Description static String
FORWARD_REQUEST_SCOPES_TO_PROXY
static String
PROXY_CLAIMS_LIST
static String
PROXY_REQUEST_SCOPES
protected SecureRandom
secureRandom
-
Fields inherited from class edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.EnvServlet
ERROR_NOTIFICATION_BODY_KEY, ERROR_NOTIFICATION_SUBJECT_KEY, notificationListeners, storeUpdatesDone
-
-
Constructor Summary
Constructors Constructor Description OIDCCMServlet()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
areAllGrantsSupported(net.sf.json.JSONArray proposedGrants, String[] supportedGrants)
protected void
checkAdminPermission(AdminClient adminClient, OA2Client client)
Checks that this client exists on the system and that if it exists, the admin client actually owns it.protected boolean
checkJAEntry(net.sf.json.JSONArray jsonArray, String entry)
JSONArray does not check its contains sanely against strings at times.protected HashMap<String,String>
defaultReplacements(javax.servlet.http.HttpServletRequest req, AdminClient adminClient, OA2Client client)
protected void
doDelete(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Remove the given client in toto.void
doGet(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
Return information about the client.protected void
doIt(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
void
doPost(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
protected void
doPut(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Update a client.protected void
fireMessage(boolean isAnonymous, OA2SE oa2SE, HashMap<String,String> replacements)
protected String
formatIdentifiable(edu.uiuc.ncsa.security.core.Store store, edu.uiuc.ncsa.security.core.Identifiable identifiable)
protected AdminClient
getAndCheckAdminClient(javax.servlet.http.HttpServletRequest request)
Pulls the id and secret from the header then verifies the secret and if it passes, returns the client.protected OA2Client
getAndCheckOA2Client(javax.servlet.http.HttpServletRequest request)
protected OA2Client
getClient(javax.servlet.http.HttpServletRequest req)
Get the client from the request.protected OA2SE
getOA2SE()
protected net.sf.json.JSON
getPayload(javax.servlet.http.HttpServletRequest httpServletRequest, edu.uiuc.ncsa.security.core.util.MetaDebugUtil adminDebugger)
PermissionServer
getPermissionServer()
We want to be able to manage the permissions associated with a standard client and an admin client.protected void
handleGrants(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)
protected void
handleResponseTypes(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)
TL;DR: we support the grant types for the authorization_code flow so only code and id_token.protected OA2Client
processRegistrationRequest(net.sf.json.JSONObject jsonRequest, AdminClient adminClient, boolean isAnonymous, javax.servlet.http.HttpServletResponse httpResponse, OA2Client client)
void
storeUpdates()
This will be invoked at init before anything else and should include code to seamlessly upgrade stores from earlier versions.protected net.sf.json.JSONArray
toJA(net.sf.json.JSONObject obj, String key)
Some attribute scan come over the wire as either arrays of string or as blank delimited strings, e.g.protected net.sf.json.JSONObject
toJSONObject(OA2Client client)
Take a client and turn it in to a response object.protected OA2Client
updateClient(OA2Client client, AdminClient adminClient, boolean isAnonymous, net.sf.json.JSONObject jsonRequest, boolean newClient, javax.servlet.http.HttpServletResponse httpResponse)
-
Methods inherited from class edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.EnvServlet
addNotificationListener, loadEnvironment, loadProperties2, processStoreCheck, removeNotificationListener
-
Methods inherited from class edu.uiuc.ncsa.security.servlet.AbstractServlet
checkContentType, CONST, debug, doPing, error, error, getConfigurationLoader, getEnvironment, getExceptionHandler, getFirstParameterValue, getInitialization, getMyLogger, handleException, info, init, isDebugOn, printAllParameters, printAllParameters, resetState, setConfigurationLoader, setDebugOn, setEnvironment, setExceptionHandler, setInitialization, warn
-
Methods inherited from class javax.servlet.http.HttpServlet
doHead, doOptions, doTrace, getLastModified, service, service
-
-
-
-
Field Detail
-
PROXY_CLAIMS_LIST
public static final String PROXY_CLAIMS_LIST
- See Also:
- Constant Field Values
-
FORWARD_REQUEST_SCOPES_TO_PROXY
public static final String FORWARD_REQUEST_SCOPES_TO_PROXY
- See Also:
- Constant Field Values
-
PROXY_REQUEST_SCOPES
public static final String PROXY_REQUEST_SCOPES
- See Also:
- Constant Field Values
-
secureRandom
protected SecureRandom secureRandom
-
-
Method Detail
-
storeUpdates
public void storeUpdates() throws IOException, SQLException
Description copied from class:EnvServlet
This will be invoked at init before anything else and should include code to seamlessly upgrade stores from earlier versions. For instance, if a new column needs to be added to a table. This pre-supposes that the current user has the correct permissions to alter the table, btw. This also updates the internal flagEnvServlet.storeUpdatesDone
which should be checks in overrides. If you override this method and call super, let super manage this flag. If it is true, do not execute your method.- Specified by:
storeUpdates
in classEnvServlet
- Throws:
IOException
SQLException
-
getOA2SE
protected OA2SE getOA2SE()
-
doGet
public void doGet(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) throws javax.servlet.ServletException, IOException
Return information about the client. Note that we do not return the client secret in this call, since among other reasons, we do not have it.- Overrides:
doGet
in classedu.uiuc.ncsa.security.servlet.AbstractServlet
- Parameters:
httpServletRequest
-httpServletResponse
-- Throws:
javax.servlet.ServletException
IOException
-
formatIdentifiable
protected String formatIdentifiable(edu.uiuc.ncsa.security.core.Store store, edu.uiuc.ncsa.security.core.Identifiable identifiable)
-
defaultReplacements
protected HashMap<String,String> defaultReplacements(javax.servlet.http.HttpServletRequest req, AdminClient adminClient, OA2Client client)
-
toJSONObject
protected net.sf.json.JSONObject toJSONObject(OA2Client client)
Take a client and turn it in to a response object. This is used by both GET do PUT (which is supposed to return the same output as GET when done with its updates)- Parameters:
client
-- Returns:
-
doDelete
protected void doDelete(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp) throws javax.servlet.ServletException, IOException
Remove the given client in toto.- Overrides:
doDelete
in classjavax.servlet.http.HttpServlet
- Parameters:
req
-resp
-- Throws:
javax.servlet.ServletException
IOException
-
checkAdminPermission
protected void checkAdminPermission(AdminClient adminClient, OA2Client client)
Checks that this client exists on the system and that if it exists, the admin client actually owns it.- Parameters:
adminClient
-client
-
-
doPut
protected void doPut(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp) throws javax.servlet.ServletException, IOException
Update a client. Note that as per the specification, all values that are sent over-write existing values and omitted values are taken to mean the stored value is unset.- Overrides:
doPut
in classjavax.servlet.http.HttpServlet
- Parameters:
req
-resp
-- Throws:
javax.servlet.ServletException
IOException
-
doPost
public void doPost(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) throws javax.servlet.ServletException, IOException
- Overrides:
doPost
in classedu.uiuc.ncsa.security.servlet.AbstractServlet
- Throws:
javax.servlet.ServletException
IOException
-
getPermissionServer
public PermissionServer getPermissionServer()
We want to be able to manage the permissions associated with a standard client and an admin client.- Returns:
-
getAndCheckAdminClient
protected AdminClient getAndCheckAdminClient(javax.servlet.http.HttpServletRequest request) throws Throwable
Pulls the id and secret from the header then verifies the secret and if it passes, returns the client.- Parameters:
request
-- Returns:
- Throws:
Throwable
-
getAndCheckOA2Client
protected OA2Client getAndCheckOA2Client(javax.servlet.http.HttpServletRequest request) throws Throwable
- Throws:
Throwable
-
doIt
protected void doIt(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) throws Throwable
- Specified by:
doIt
in classedu.uiuc.ncsa.security.servlet.AbstractServlet
- Throws:
Throwable
-
getPayload
protected net.sf.json.JSON getPayload(javax.servlet.http.HttpServletRequest httpServletRequest, edu.uiuc.ncsa.security.core.util.MetaDebugUtil adminDebugger) throws IOException
- Throws:
IOException
-
getClient
protected OA2Client getClient(javax.servlet.http.HttpServletRequest req)
Get the client from the request. Note that this may return null if no such client exists and it is up to the calling method to decide if this is ok.- Parameters:
req
-- Returns:
-
updateClient
protected OA2Client updateClient(OA2Client client, AdminClient adminClient, boolean isAnonymous, net.sf.json.JSONObject jsonRequest, boolean newClient, javax.servlet.http.HttpServletResponse httpResponse)
-
handleResponseTypes
protected void handleResponseTypes(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)
TL;DR: we support the grant types for the authorization_code flow so only code and id_token. We explicitly reject every other response_type at this point, in particular, we reject the value of "token" which is only for the implicit flow.- Parameters:
client
-jsonRequest
-keys
-
-
checkJAEntry
protected boolean checkJAEntry(net.sf.json.JSONArray jsonArray, String entry)
JSONArray does not check its contains sanely against strings at times.- Parameters:
jsonArray
-entry
-- Returns:
-
areAllGrantsSupported
protected boolean areAllGrantsSupported(net.sf.json.JSONArray proposedGrants, String[] supportedGrants)
-
handleGrants
protected void handleGrants(OA2Client client, net.sf.json.JSONObject jsonRequest, OA2ClientKeys keys)
-
toJA
protected net.sf.json.JSONArray toJA(net.sf.json.JSONObject obj, String key)
Some attribute scan come over the wire as either arrays of string or as blank delimited strings, e.g. scopes and grant types. Just figure it out and hand back the array. Note this will remove duplicates.- Parameters:
obj
-key
-- Returns:
-
processRegistrationRequest
protected OA2Client processRegistrationRequest(net.sf.json.JSONObject jsonRequest, AdminClient adminClient, boolean isAnonymous, javax.servlet.http.HttpServletResponse httpResponse, OA2Client client)
-
-