Chapter 7. Service Endpoints

A service endpoint is a URL which serves as the access port for a web service. It may be a standard HTML-based web page, or it may be a *.jsp page.

As every service endpoint is a potential security issue, it may be appropriate to restrict access to some of those endpoints that you do not use. But be careful. Some endpoints, such as isAlive.jsp in the main /path/to/tomcat/webapps/openam directory, are essential and should not be blocked or changed.

Given the large number of available endpoints, this chapter has been organized primarily by subdirectory. Most of the directories were created when the OpenAM war archive was copied to the appropriate web application container, such as the webapps/ subdirectory.

OpenAM may expose several hundred service endpoints, listed in this chapter. Each endpoint shown is listed relative to the deployment URL. For example, if you have deployed OpenAM at https://openam.example.com:8443/openam/, the full URL to the isAlive.jsp endpoint is https://openam.example.com:8443/openam/isAlive.jsp.

OpenAM includes two types of endpoints. One is based on URL patterns, shown with the url-pattern tag. You can find these patterns in the web.xml file, in the /path/to/tomcat/webapps/openam/WEB-INF directory. The other type is based on *.jsp pages, starting in the main /path/to/tomcat/webapps/openam directory, and also in many associated subdirectories. If you copied or created a WAR archive to a name other than openam.war, as described in the installation guide, substitute for the second openam accordingly.

Some of these endpoints can be applied directly to a URL when you've connected to the OpenAM server; for example, if you've configured OpenAM on http://idp.example.com:8080/openam, you can log in and review debug options by navigating to http://idp.example.com:8080/openam/Debug.jsp

Other endpoints can only be used when called by some option in the OpenAM console. For example, while the AgentAdd.jsp endpoint exists in the console/agentconfig subdirectory, you would get an error by navigating directly to a URL such as http://sp.example.com:8080/openam/console/agentconfig/AgentAdd.jsp. For that particular endpoint, you'll have click through the options required to add an agent. (Access Control > realm name > Agents > Agent > New)

In general, this chapter does not include dynamic endpoints, such as those that may include security tokens. The endpoints described in this chapter are based on files included in the installation of an OpenAM server.

There have been two security advisories related to OpenAM endpoints: OpenAM Security Advisory #201203 and OpenAM Security Advisory #201204

Several options are available for endpoints at risk. Recommendations from the noted security advisories include the following:

Of course, you can take additional steps to help secure your OpenAM deployment. For more information, see the the chapter on Securing OpenAM in the Administration Guide.

The OpenAM WAR archive includes *.jsp files in a number of different categories. Many are associated with the applicable subdirectory, such as console/realm. The following sections will examine each *.jsp file, divided by subdirectories.

In some highlighted cases, the noted *.jsp file appears in the code for one or more .java files. If you remove the noted *.jsp file from the container, there is a risk that will break some functionality within OpenAM. In other cases, such as any files related to the GUI installation wizard, the applicable *.jsp file can be safely removed from a production system.