7.24. WEB-INF Endpoints

The OpenAM WAR archive includes pointers to different URL patterns in the web.xml file. The following section includes a description of each of the identified URL patterns.

Many of the endpoints in this section are based on what you would add to an OpenAM URL. Many of the endpoints described in the web.xml file are not directly related to the .jsp files described in other parts of this chapter.

The endpoints in this chapter are taken from all items tagged with the url-pattern label. These endpoints are listed in that they appear in the web.xml file available at the time of this writing; the list is changed frequently. If you want to disable one or more of these endpoints, you may be able to delete them from the web.xml file.

Each of the url-patterns shown in the web.xml file is associated with elements such as a filter-name or a servlet-name. The definitions that follow use those elements to help identify the function of each endpoint listed in the web.xml file. Many of these elements can be directly related to a .java file.

The endpoints in this section are in the order found in the list of url-pattern entries shown in the web.xml file at the time of this writing.

/*

This entry is more of a filter for all endpoints. It's associated with the ResponseValidationFilter, which checks for valid URLs. It's also associated with the AMSetupFilter.java file; on systems not yet configured, it redirects users to the setup wizard.

ws/*

Specifies a group of URLs related to authentication endpoints, as it is associated with the AuthNFilter.java and AuthZFilter.java files. However, those files (and the associated RestServiceManager.java file) are not called by any other files in the trunk.

/login

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Login.jsp endpoint.

/logout

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Logout.jsp endpoint.

/UI/*

With the help of the LoginServlet.java file, this forwards to the default login page for an OpenAM system.

/config/configurator

Uses the AMSetupServlet, which as noted in the associated .java file, "is the first class to get loaded by the Servlet * container"

/setup/setSetupProgress

Used by the installation wizard to display the progress.

/upgrade/setUpgradeProgress

Used by the upgrade wizard to display progress.

/ui/*

Associated with the servlet naemd PWResetServlet, associated with password resets.

/gateway

Used with the servlet named GatewayServlet. Associated with the Gateway.java file, which takes an authentication module and forwards it to a login URL.

/GetHttpSession

The associated .java file is associated with Session Failover (SFO).

/sessionservice, /profileservice, /policyservice, /namingservice, /loggingservice, /authservice, /notificationservice

All of these endpoints are associated with OpenAM Security Advisory #201203. As suggested in the advisory, if you're using OpenAM version 9.5.4 or 10.0.0, you should be sure to apply the updates required to upgrade your systems to versions 9.5.5 or 10.0.1 (or higher).

/jaxrpc/*, /identityservices/*

These endpoints provide information on configured web services, including the port name, status, URL, and implementation class. Both endpoints show the same data. The IdentityServices servlet name points to the following description: "Web Service Endpoint - Identity Services".

/SMSServlet

Includes system configuration information when available, as documented in the comments to the AMSystemConfig.java file.

/notification

The associated servlet named notificationservlet appears to be commonly used. When the URL is entered, the default output is 200, associated with an URL success message.

/entitlementmonitor

Used by the NetworkMonitor.java file, which is essential to the monitoring of OpenAM services.

/identity/*

Possibly a legacy endpoint. While the associated IdentityServicesHandler servlet is identified as "REST Endpoint - Identity Services", it is only cited in the IdentityServicesHandler.java file.

/resources/*

Linked to an oauth servlet. The associated com.sun.identity.oauth.service.RestService class is rarely used.

/authentication/*

Associated with the servlet named AuthServlet. The associated AuthServer.java file is the controller servlet for realm authentication pages. When the URL is entered prior to login, it defaults to the standard login page.

/base/*

Associated with the servlet named AMBaseServlet. While the associated AMBaseServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/service/*

Associated with the servlet named SCServlet. While the associated SCServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/session/*

Associated with the servlet named SMServlet. While the associated SMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/realm/*

Associated with the servlet named RMServlet. While the associated RMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/policy/*

Associated with the servlet named PMServlet. While the associated PMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/idm/*

Associated with the servlet named IDMServlet. While the associated IDMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/user/*

Associated with the servlet named UMServlet. While the associated UMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/delegation/*

Associated with the servlet named DelegationServlet. While the associated DelegationServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/task/*

Associated with the servlet named TaskServlet. While the associated TaskServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/agentconfig/*

Associated with the servlet named AgentConfigurationServlet. The associated AgentConfigurationServlet class is called by the amAccessControl.xml file, which suggests that it can be configured from the GUI console, through the Agents section of the Access Control menu. It is rarely used otherwise. The URL prior to login defaults to the standard login page.

/ccversion/*

Associated with the servlet named click-servlet. There is no associated click-servlet.java or ClickServlet.java file.

/federation/*

Associated with the servlet named FSServlet. While the associated FSServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/webservices

Used by the WSServlet.java and SecurityTokenService.java files. If you're using web services and/or the Security Token Service (STS), you may want to keep this in place.

/sts

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/mex

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/soap11

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/mexsoap11

Associated with the STS. Unlike related STS endpoints, it returns a 404 message by default.

/SPMniSoap/*

Used by a servlet named SPMniSoap; associated with a com.sun.identity.saml2.servlet.SPManageNameIDServiceSOAP servlet class. The associated .java file works with Manage Name ID communications using SOAP binding from the SP. As the former spMNISOAP.jsp file no longer exists in the trunk, this may be a legacy endpoint.

/SPMniPOST/*

Used by a servlet named spMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPMniRedirect/*

Used by a servlet named spMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPMniInit/*

Used by a servlet named spMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPECP/*

The associated SPECPService class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

/SPSloSoap/*

The associated SPSingleLogoutServiceSOAP class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

/SPSloPOST/*

Used by a servlet named spSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPSloRedirect/*

Used by a servlet named spSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPSloInit/*

Used by a servlet named spSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/Consumer/*, /SSORedirect/*

Used by a servlet named spAssertionConsumer.jsp; previously defined in the SAML2 JSP Endpoints section.

/SSOPOST/*, /SSORedirect/*

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/SSORedirect/*

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/NIMSoap/*

Used by a servlet named NameIDMappingServiceSOAP.

/AIDReqUri/*

Used by a servlet named AssertionIDRequestServiceSoap.

/AIDReqSoap/*

Used by a servlet named AssertionIDRequestServiceSoap.

/AuthnQuerySerivceSoap/*

Used by a servlet named AuthnQueryServiceSoap.

/AttributeServiceSoap/*

Used by a servlet named AttributeServiceSoap.

/SSOSoap/*

Used by a servlet named SSOSoap.

/IDPMniSoap/*

Used by a servlet named IDPMniSoap.

/IDPMniPOST/*

Used by a servlet named idpMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPMniRedirect/*

Used by a servlet named idpMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPMniInit/*

Used by a servlet named idpMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloSoap/*

Used by a servlet named IDPSloSoap.

/IDPSloPOST/*

Used by a servlet named idpSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloRedirect/*

Used by a servlet named idpSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloInit/*

Used by a servlet named idpSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/ArtifactResolver/*

Used by a servlet named IDPArtifactResolver.

/spssoinit

Used by a servlet named spSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpssoinit

Used by a servlet named idpSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpSSOFederate

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpsaehandler/*

Used by a servlet named SA_IDP.jsp; previously defined in the SAML2 JSP Endpoints section.

/spsaehandler/*

Used by a servlet named IDP_SP.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpfinder

Used by a servlet named IDPFinderService; The associated FSIDPFinderService.java file can be used to find a preferred IDP with a common domain cookie.

/cdcservlet

Used by a servlet named CDCServlet. It is associated with a Cross Domain Controller Servlet, as described in the the chapter on Configuring Cross-Domain Single Sign On in the Administration Guide .

/SAMLAwareServlet

Used by a servlet named SAMLAwareServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser artifact profile. It validates a session token from a request run through the IDP.

/SAMLPOSTProfileServlet

Used by a servlet named SAMLPOSTProfileServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser POST profile, which supplies assertion IDs, and returns the response to the client browser.

/SAMLSOAPReceiver

Used by a servlet named SAMLSOAPReceiver. The servlet extracts a SAML request from a message sent in SOAP format. That message can be a query for authorization, attributes, or authentication. It supports POST messages only.

/AssertionManagerServlet/*

Used by a servlet named AssertionManagerServlet. It supports dynamic substitution, using the host name, port number, and the deployment location.

/FSAssertionManagerServlet/*

Used by a servlet named FSAssertionManagerServlet. It provides remote interfaces for the assertion manager class.

/SecurityTokenManagerServlet/*

Used by a servlet named SecurityTokenManagerServlet. It supports dynamic substitution, using session parameters.

/preLogin

Used by a servlet named preLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

/postLogin/*

Used by a servlet named postLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

/federation

Used by a servlet named FederationServlet. Associated with the com.sun.identity.federation.login.FSFederationHandler class. The matching FSFederationHandler.java file processes requests to initiate a federation.

/consentHandler

Used by a servlet named consentHandler. Associated with the com.sun.identity.federation.login.FSConsentHandler class. The matching FSConsentHandler.java file processes redirect requests in an existing federation.

/ProcessLogout/*

Used by a servlet named ProcessLogout. Associated with the FSProcessLogoutServlet class. It is designed to handle single logout requests related to Kantera / Liberty ID-FF processes.

/ReturnLogout/*

Used by a servlet named ReturnLogout. Associated with the FSReturnLogoutServlet class. It is designed to handle single logout responses related to Kantera / Liberty ID-FF processes. (Note the subtle difference with the ProcessLogout endpoint which handles logout requests.)

/liberty-logout

Used by a servlet named LogoutServlet. Associated with the FSSingleLogoutServlet class. It is designed to start single logout requests related to Kantera / Liberty ID-FF processes.

/SingleSignOnService/*

Used by a servlet named SingleSignOnService. Associated with the FSSSOAndFedService class. Configured for SSO on the IDP.

/IntersiteTransferService

Used by a servlet named IntersiteTransferService. Associated with the FSIntersiteTransferService class. It is designed to send a AuthnRequest to an IDP.

/AssertionConsumerService/*

Used by a servlet named AssertionConsumerService. Associated with the FSAssertionConsumerService class. For more information, see the chapter on Managing SAML 2.0 Federation in the Administration Guide.

/SOAPReceiver/*

Used by a servlet named SOAPReceiver. Associated with the FSSOAPReceiver class. SOAP endpoint that handles federation and specifies a URI to the SP.

/federation-terminate

Used by a servlet named FederationTerminationServlet. Associated with the FSTerminationInitiationServlet.java file, used to initiate termination of a federation connection. The IDP will send the termination request to the associated URL.

/ProcessTermination/*

Used by a servlet named ProcessTermination. Associated with the FSTerminationRequestServlet class. The associated .java file is used when a request is received by a remote SP.

/ReturnTermination/*

Used by a servlet named ReturnTermination. Associated with the FSTerminationReturnServlet class. The associated .java file is used to define a URL used by an IP to send termination responses.

/InitiateRegistration/*

Used by a servlet named InitiateRegistration. Associated with the FSRegistrationInitiationServlet class. The associated .java file is used to handle the registration request from a remote IDP.

/ProcessRegistration/*

Used by a servlet named ProcessRegistration. Associated with the FSRegistrationRequestServlet class. Processes registration requests from remote SPs.

/ReturnRegistration/*

Used by a servlet named ReturnRegistration. Associated with the FSRegistrationReturnServlet class. Defines a URL for IDPs to send registration responses.

/Liberty/*

Used by a servlet named WSSOAPReceiver. Associated with the SOAPReceiver class. Defines an endpoint that handles SOAP requests.

/WSPRedirectHandler/*

Used by a servlet named WSPRedirectHandler. Associated with the WSPRedirectHandlerServlet class. Used by the SP for user redirects.

/idffwriter, /saml2writer

Used by a servlet with a matching name (idffwriter, saml2writer). Associated with the CookieWriterServlet class. Used by the IDP to help the web container find app-specific info such as Java classes or Java Archives (JARs).

/idffreader, /saml2reader

Used by a servlet with a matching name (idffreader, saml2reader). Associated with the CookieReaderServlet class. Used by the SP to help find the preferred IDP.

/multiprotocolrelay

Used by a servlet named MultiProtocolRelayServlet. Associated with the MultiProtocolRelayServlet class. Used as a RelayState to continue to the next protocol; associated with a federation.

/WSFederationServlet/*, /FederationMetadata/*

Used by a servlet named WSFederationServlet. Associated with the WSFederationServlet class. Used as a service endpoint for WS-Federation.

/RealmSelection/*

Used by am endpoint named realmSelection.jsp. Previously defined in the WS-Federation JSP Endpoints section.

/saml2query/*

Used by a servlet named saml2query. Associated with the QueryHandlerServlet class. The corresponding .java file receives and processes SAML2 queries.

/federationws/*

Used by a servlet named federationrest. Associated with the ServletContainer class. Does not appear to be included in any current .java or .jsp file, so it may be a legacy endpoint.

/xacml/*

Used by a servlet named XACMLContentAdapter. Associated with the XacmlContentHandlerService class. Provides the main endpoint for all XACML requests.

/frrest/oauth2/*

Used by a servlet named OAuth2Rest. Associated with the RestTokenDispatcher class. class. For more information, see the the chapter on Using RESTful Web Services.

/oauth2/registerClient.jsp

Used by a servlet named OAuth2RegisterClient. For more information, see the the Administration Guide chapter on Managing OAuth 2.0 Authorization.

/oauth2/*

Used by a servlet named OAuth2RestletAdapter. Associated with the RestTokenDispatcher class. For more information, see the chapter on the chapter on Using RESTful Web Services.

/json/*

Used by a servlet named ForgeRockRest. Associated with the HttpServlet class. For more information, see the chapter on Using RESTful Web Services. In addition, you can read more about associated REST endpoints in reference#json-rest-endpoints JSON REST Endpoints