|
| 1 | +# Endpoints Without `/z/{subdomain}/` Support (Discovery) |
| 2 | + |
| 3 | +This document lists endpoints that do **not** yet have a dual path mapping for `/z/{subdomain}/...`. Security config may already allow `/z/*/path` in some cases; the **controller** (or filter) still only maps the non-zone path. Tests that hit these paths are listed so you can extend them with zone-path permutations or add new tests when adding `/z/` support. |
| 4 | + |
| 5 | +**Legend:** |
| 6 | +- **Controller has /z/?** – Controller (or endpoint class) has a second path variant like `/z/{subdomain}/...`. |
| 7 | +- **Security has /z/*/?** – At least one security filter chain or requestMatcher includes a `/z/*/...` (or `/z/{subdomain}/...`) pattern for this path. |
| 8 | +- **Tests** – Test classes or test methods that perform requests to these paths (get/post/put/delete to the path). These are the tests that may need zone-path parameterization or new cases when you add `/z/` support. |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +## 1. Reset / forgot password (UI) |
| 13 | + |
| 14 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 15 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 16 | +| `/forgot_password` | ResetPasswordController | No | Yes (LoginSecurityConfiguration login form chain) | ResetPasswordControllerMockMvcTests, ResetPasswordControllerTest, LoginMockMvcTests (forgot_password.do, links) | |
| 17 | +| `/forgot_password.do` | ResetPasswordController | No | Yes | Same as above | |
| 18 | +| `/email_sent` | ResetPasswordController | No | Yes (noSecurityEndpoints has `/z/*/email_sent`) | ResetPasswordControllerTest, AccountsControllerMockMvcTests (accounts/email_sent) | |
| 19 | +| `/reset_password` (HEAD, GET with `code`) | ResetPasswordController | No | Yes (login form chain) | ResetPasswordControllerMockMvcTests, ResetPasswordControllerTest, ResetPasswordAuthenticationEntryPointTests (forward) | |
| 20 | +| `/reset_password.do` | ResetPasswordController | No | Yes (login form + ResetPasswordAuthenticationFilter) | ResetPasswordControllerMockMvcTests, ResetPasswordControllerTest, ResetPasswordAuthenticationFilterTest | |
| 21 | + |
| 22 | +**Note:** Security already has `/z/*/forgot_password`, `/z/*/reset_password**`, etc. in LoginSecurityConfiguration. The **controller** still only declares the single path (e.g. `@GetMapping("/forgot_password")`). Adding `/z/{subdomain}/...` to the controller mappings is the remaining work. |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +## 2. Change password (UI) |
| 27 | + |
| 28 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 29 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 30 | +| `/change_password` | ChangePasswordController | No | No (chain is `/password_*` only) | LoginMockMvcTests (get/change_password, post/change_password.do) | |
| 31 | +| `/change_password.do` | ChangePasswordController | No | No | Same as above | |
| 32 | + |
| 33 | +**Note:** LoginSecurityConfiguration has a separate chain for `/password_*` with no `/z/*/` variant. Both controller and security need updates for zone path. |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +## 3. Change email / verify email (UI) |
| 38 | + |
| 39 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 40 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 41 | +| `/change_email` | ChangeEmailController | No | No (chain is `/email_*` only) | LoginMockMvcTests, ChangeEmailControllerTest | |
| 42 | +| `/change_email.do` | ChangeEmailController | No | No | Same as above | |
| 43 | +| `/verify_email` | ChangeEmailController | No | No | ChangeEmailControllerTest | |
| 44 | + |
| 45 | +**Note:** LoginSecurityConfiguration has a separate chain for `/email_*` with no `/z/*/` variant. Both controller and security need updates. |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +## 4. Force password change (UI) |
| 50 | + |
| 51 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 52 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 53 | +| `/force_password_change`, `/force_password_change/` | ForcePasswordChangeController | No | Yes (login form chain) | ForcePasswordChangeControllerTest, ForcePasswordChangeControllerMockMvcTest, UaaAuthenticationFailureHandlerTests (redirect + applyRequestPath) | |
| 54 | +| `/force_password_change_completed` | No controller mapping (redirect target; PasswordChangeUiRequiredFilter uses path) | N/A | No (not in noSecurityEndpoints with /z/) | ForcePasswordChangeControllerMockMvcTest (get), PasswordChangeUiRequiredFilterTest (setPathInfo) | |
| 55 | + |
| 56 | +**Note:** Security already has `/z/*/force_password_change/**`. Controller has no `/z/` variant. `force_password_change_completed` is a redirect target and filter path; no explicit `@GetMapping` found—may be served as view or by default. If it gets a controller, it will need `/z/` support too. |
| 57 | + |
| 58 | +--- |
| 59 | + |
| 60 | +## 5. Logged out (UI) |
| 61 | + |
| 62 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 63 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 64 | +| `/logged_out` | LoggedOutEndpoint | No | No (noSecurityEndpoints has `/logged_out` but no `/z/*/logged_out`) | Indirect (logout flows redirect here) | |
| 65 | + |
| 66 | +**Note:** SpringServletXmlSecurityConfiguration noSecurityEndpoints includes `/logged_out` only; no `/z/*/logged_out`. Controller has single path. |
| 67 | + |
| 68 | +--- |
| 69 | + |
| 70 | +## 6. Home and error pages (UI) |
| 71 | + |
| 72 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 73 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 74 | +| `/`, `/home` | HomeController | No | No | LoginMockMvcTests (get("/")), HomeControllerViewTests (get("/home")), IdentityZoneEndpointsMockMvcTests (homeRedirect link) | |
| 75 | +| `/error500` | HomeController | No | No (noSecurityEndpoints has `/error**`) | — | |
| 76 | +| `/saml_error` | HomeController | No | No (noSecurityEndpoints has `/saml_error`) | — | |
| 77 | +| `/oauth_error` | HomeController | No | No | — | |
| 78 | +| `/rejected` | HomeController | No | No (noSecurityEndpoints has `/rejected`) | — | |
| 79 | + |
| 80 | +**Note:** noSecurityEndpoints does not add `/z/*/` for these. Controller has no `/z/` variants. |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +## 7. Session (UI) |
| 85 | + |
| 86 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 87 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 88 | +| `/session` | SessionController | No | No (noSecurityEndpoints has `/session` but no `/z/*/session`) | SessionControllerIntegrationTests | |
| 89 | +| `/session_management` | SessionController | No | No | SessionControllerIntegrationTests | |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +## 8. Invitations (UI + API) |
| 94 | + |
| 95 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 96 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 97 | +| `/invitations/accept` | InvitationsController | No | No (LoginSecurityConfiguration has /invitations/accept without /z/) | InvitationsEndpointMockMvcTests, InvitationsControllerTest, InvitationsServiceMockMvcTests, AbstractLdapMockMvcTest | |
| 98 | +| `/invitations/accept.do` | InvitationsController | No | No | Same as above | |
| 99 | +| `/invitations/accept_enterprise.do` | InvitationsController | No | No | InvitationsControllerTest, AbstractLdapMockMvcTest | |
| 100 | +| `/invitations/sent`, `/invitations/new`, `/invitations/new.do` | InvitationsController | No | No | InvitationsControllerTest (if any hit these) | |
| 101 | +| `/invite_users`, `/invite_users/` | InvitationsEndpoint (API) | No | No (LoginSecurityConfiguration /invite_users/** has no /z/) | InvitationsEndpointMockMvcTests | |
| 102 | + |
| 103 | +--- |
| 104 | + |
| 105 | +## 9. Profile (UI) |
| 106 | + |
| 107 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 108 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 109 | +| `/profile`, `/profile/` | ProfileController | No | No (login form chain has no /z/*/ for profile) | ProfileControllerMockMvcTests, LoginMockMvcTests (redirect:profile), InvitationsServiceMockMvcTests | |
| 110 | + |
| 111 | +--- |
| 112 | + |
| 113 | +## 10. Passcode (API / UI) |
| 114 | + |
| 115 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 116 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 117 | +| `/passcode` | PasscodeEndpoint | No | No (OauthEndpointSecurityConfiguration passcode matcher has no /z/) | PasscodeMockMvcTests, TokenMvcMockTests (get("/passcode")), AbstractLdapMockMvcTest, LoginInfoEndpointTests (prompt text) | |
| 118 | + |
| 119 | +--- |
| 120 | + |
| 121 | +## 11. OAuth / token / client admin (API – not yet covered by /z/) |
| 122 | + |
| 123 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 124 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 125 | +| `/oauth/confirm_access` | AccessController | No | No | — | |
| 126 | +| `/oauth/error` | AccessController | No | No | — | |
| 127 | +| `/oauth/token/revoke/user/{userId}` etc. | TokenRevocationEndpoint | No | No (OauthEndpointSecurityConfiguration /oauth/token/revoke/** has no /z/) | — | |
| 128 | +| `/check_token` | CheckTokenEndpoint | No | No | — | |
| 129 | +| `/introspect` | IntrospectEndpoint | No | No | — | |
| 130 | +| `/oauth/clients/**` | ClientAdminEndpoints, ClientMetadataAdminEndpoints | No | No (ClientAdminSecurityConfiguration has no /z/) | — | |
| 131 | +| `/identity-providers/**` | IdentityProviderEndpoints | No | No (IdentityZoneSecurityConfiguration has no /z/) | — | |
| 132 | +| `/identity-zones/**` | — | No | No | IdentityZoneEndpointsMockMvcTests (already parameterized for zone path in tests) | |
| 133 | +| `/Codes/**` | CodeStoreEndpoints | No | No | — | |
| 134 | +| `/email_verifications`, `/email_changes` | ChangeEmailEndpoints (SCIM) | No | No | — | |
| 135 | +| `/RateLimitingStatus/**` | RateLimitStatusController | No | No | — | |
| 136 | +| `/saml/metadata`, `/saml/metadata/` | SamlMetadataEndpoint | No | No (secFilterOpenSamlEndPoints has no /z/) | — | |
| 137 | + |
| 138 | +--- |
| 139 | + |
| 140 | +## 12. Authenticate (API) |
| 141 | + |
| 142 | +| Endpoint(s) | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints | |
| 143 | +|-------------|--------------------|---------------------|----------------------|-----------------------------------| |
| 144 | +| `/authenticate`, `/authenticate/` | RemoteAuthenticationEndpoint | No | No (LoginSecurityConfiguration authenticate chain has no /z/) | LoginMockMvcTests (post("/authenticate")) | |
| 145 | + |
| 146 | +--- |
| 147 | + |
| 148 | +## 13. Zone Switching - Path Aware Zone Sessions |
| 149 | + |
| 150 | +Once steps 1-12 are completed, the system will work for a single session. |
| 151 | +Switching zones by changing the /z/ zone path, will cause the SessionResetFilter |
| 152 | +to kick in and redirect the user to the default zone login page. |
| 153 | + |
| 154 | +There is a decision to be made at this point, do we support multiple zone sessions when using paths? |
| 155 | +If so, there will be a session implementation, very much like the one IdentityZoneResolving/Switching filters |
| 156 | +that allows the same server side session hold attributes for multiple zones at the same time |
| 157 | + |
| 158 | +## Summary (high-level) |
| 159 | + |
| 160 | +- **UI endpoints most likely to need `/z/` next:** reset_password, forgot_password, change_password, change_email, verify_email, force_password_change (and _completed), logged_out, home, session, invitations (accept flow), profile, passcode. Security already has `/z/*/` for several of these (forgot_password, reset_password, force_password_change, create_account, login, etc.); the **controller** mappings are what’s missing. |
| 161 | +- **Security chains that don’t yet have `/z/*/`:** `/password_*`, `/email_*`, noSecurityEndpoints for `/session`, `/session_management`, `/logged_out`, `/`, `/home`, `/error**`, `/saml_error`, `/oauth_error`, `/rejected`; invitations and invite_users; profile; passcode; OAuth confirm_access/error; token revoke; check_token; introspect; client admin; identity-providers; identity-zones; Codes; RateLimitingStatus; SAML metadata; authenticate. |
| 162 | +- **Tests:** The “Tests that touch these endpoints” column lists the test classes/methods that perform requests to the given path. When you add `/z/{subdomain}/` support for an endpoint, parameterize those tests with `ZoneResolutionMode` (or equivalent) or add dedicated zone-path tests so both default and `/z/` paths are covered. |
| 163 | + |
0 commit comments