A service endpoint is a URL which serves as the access port for a web service. It may be a standard HTML-based web page, or it may be a *.jsp page.
As every service endpoint is a potential security issue, it may be appropriate to
restrict access to some of those endpoints that you do not use. But be careful.
Some endpoints, such as isAlive.jsp
in the main /path/to/tomcat/webapps/openam directory, are
essential and should not be blocked or changed.
Given the large number of available endpoints, this chapter has been organized primarily by subdirectory. Most of the directories were created when the OpenAM war archive was copied to the appropriate web application container, such as the webapps/ subdirectory.
OpenAM may expose several hundred service endpoints, listed in this chapter.
Each endpoint shown is listed relative to the deployment URL.
For example, if you have deployed OpenAM at https://openam.example.com:8443/openam/
,
the full URL to the isAlive.jsp
endpoint is
https://openam.example.com:8443/openam/isAlive.jsp
.
OpenAM includes two types of endpoints. One is based on URL patterns, shown with the url-pattern
tag. You can find these patterns in the web.xml file, in the /path/to/tomcat/webapps/openam/WEB-INF directory.
The other type is based on *.jsp pages, starting in the main /path/to/tomcat/webapps/openam directory, and also
in many associated subdirectories. If you copied or created a WAR archive to a name other than openam.war
,
as described in the installation guide, substitute for the second openam
accordingly.
Some of these endpoints can be applied directly to a URL when you've connected to the OpenAM server;
for example, if you've configured OpenAM on http://idp.example.com:8080/openam
, you
can log in and review debug options by navigating to http://idp.example.com:8080/openam/Debug.jsp
Other endpoints can only be used when called by some option in the OpenAM console. For example, while the
AgentAdd.jsp endpoint exists in the console/agentconfig subdirectory, you would get an error by navigating directly
to a URL such as http://sp.example.com:8080/openam/console/agentconfig/AgentAdd.jsp
. For that
particular endpoint, you'll have click through the options required to add an agent. (Access Control >
realm name
> Agents > Agent > New)
In general, this chapter does not include dynamic endpoints, such as those that may include security tokens. The endpoints described in this chapter are based on files included in the installation of an OpenAM server.
There have been two security advisories related to OpenAM endpoints: OpenAM Security Advisory #201203 and OpenAM Security Advisory #201204
Several options are available for endpoints at risk. Recommendations from the noted security advisories include the following:
Filter requests to prevent or restrict access to vulnerable endpoints with a reverse proxy or equivalent hardware device. Such options can be configured to limit access by IP address or fully-qualified domain name.
Use a patch. If available, download links should be listed in the security advisory. The patch may be limited to one or more endpoint files.
Remove access from the configuration. If a problematic endpoint is configured in the web.xml file of the aforementioned WEB-INF subdirectory, you can remove the section that points to that endpoint.
Remove the endpoint file from the configuration. Some endpoint files, such as proxy.jsp or ssoadm.jsp, are not essential to the basic operation of OpenAM.
Of course, you can take additional steps to help secure your OpenAM deployment. For more information, see the the chapter on Securing OpenAM in the Administration Guide.
The OpenAM WAR archive includes *.jsp files in a number of different categories. Many are associated with the applicable subdirectory, such as console/realm. The following sections will examine each *.jsp file, divided by subdirectories.
In some highlighted cases, the noted *.jsp file appears in the code for one or more .java files. If you remove the noted *.jsp file from the container, there is a risk that will break some functionality within OpenAM. In other cases, such as any files related to the GUI installation wizard, the applicable *.jsp file can be safely removed from a production system.