From bbd20ec71df631ad3a9072c639e844af93c431e2 Mon Sep 17 00:00:00 2001
From: mmuller <mmuller@google.com>
Date: Fri, 28 Oct 2016 09:32:24 -0700
Subject: [PATCH] Convert RegistrarServlet to RegistrarAction

Convert to an action and remove ResourceServlet, JsonTransportServlet and
JsonTransportServlet, all of which exist only to support it.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=137519385
---
 java/google/registry/config/ConfigModule.java |   8 +
 .../registry/config/RegistryConfig.java       |   2 +-
 .../env/common/default/WEB-INF/web.xml        |  17 +-
 .../frontend/FrontendRequestComponent.java    |   2 +
 .../registry/request/JsonActionRunner.java    |  10 +-
 java/google/registry/security/BUILD           |  13 --
 .../security/JsonTransportServlet.java        |  74 --------
 .../security/XsrfProtectedServlet.java        |  83 ---------
 .../google/registry/ui/server/registrar/BUILD |   1 -
 ...strarServlet.java => RegistrarAction.java} | 105 ++++++++---
 .../ui/server/registrar/ResourceServlet.java  | 105 -----------
 .../registry/request/RequestModuleTest.java   |   6 +
 javatests/google/registry/security/BUILD      |  18 --
 .../registry/security/JsonHttpTestUtils.java  |   4 +-
 .../security/JsonTransportServletTest.java    | 156 ----------------
 .../security/XsrfProtectedServletTest.java    | 105 -----------
 .../registry/server/RegistryTestServer.java   |   2 +-
 .../google/registry/ui/server/registrar/BUILD |   1 +
 .../server/registrar/ContactSettingsTest.java |  45 ++---
 .../server/registrar/RegistrarActionTest.java | 125 +++++++++++++
 ...Case.java => RegistrarActionTestCase.java} |  37 +++-
 .../registrar/RegistrarServletTest.java       | 168 ------------------
 .../registrar/SecuritySettingsTest.java       |  52 +++---
 .../server/registrar/WhoisSettingsTest.java   |  49 +++--
 24 files changed, 330 insertions(+), 858 deletions(-)
 delete mode 100644 java/google/registry/security/JsonTransportServlet.java
 delete mode 100644 java/google/registry/security/XsrfProtectedServlet.java
 rename java/google/registry/ui/server/registrar/{RegistrarServlet.java => RegistrarAction.java} (74%)
 delete mode 100644 java/google/registry/ui/server/registrar/ResourceServlet.java
 delete mode 100644 javatests/google/registry/security/JsonTransportServletTest.java
 delete mode 100644 javatests/google/registry/security/XsrfProtectedServletTest.java
 create mode 100644 javatests/google/registry/ui/server/registrar/RegistrarActionTest.java
 rename javatests/google/registry/ui/server/registrar/{RegistrarServletTestCase.java => RegistrarActionTestCase.java} (75%)
 delete mode 100644 javatests/google/registry/ui/server/registrar/RegistrarServletTest.java

diff --git a/java/google/registry/config/ConfigModule.java b/java/google/registry/config/ConfigModule.java
index a8906943b..3698b29d6 100644
--- a/java/google/registry/config/ConfigModule.java
+++ b/java/google/registry/config/ConfigModule.java
@@ -17,6 +17,7 @@ package google.registry.config;
 import static google.registry.config.ConfigUtils.makeUrl;
 
 import com.google.common.base.Optional;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import dagger.Module;
 import dagger.Provides;
@@ -325,6 +326,13 @@ public final class ConfigModule {
     }
   }
 
+  @Provides
+  @Config("registrarChangesNotificationEmailAddresses")
+  public static ImmutableList<String> provideRegistrarChangesNotificationEmailAddresses(
+      RegistryConfig config) {
+    return config.getRegistrarChangesNotificationEmailAddresses();
+  }
+
   /**
    * Returns the publicly accessible domain name for the running Google Apps instance.
    *
diff --git a/java/google/registry/config/RegistryConfig.java b/java/google/registry/config/RegistryConfig.java
index 08cdc0512..8ababb92f 100644
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@@ -163,7 +163,7 @@ public interface RegistryConfig {
    * Returns the email address(es) that notifications of registrar and/or registrar contact updates
    * should be sent to, or the empty list if updates should not be sent.
    *
-   * @see google.registry.ui.server.registrar.RegistrarServlet
+   * @see google.registry.ui.server.registrar.RegistrarAction
    */
   public ImmutableList<String> getRegistrarChangesNotificationEmailAddresses();
 
diff --git a/java/google/registry/env/common/default/WEB-INF/web.xml b/java/google/registry/env/common/default/WEB-INF/web.xml
index ddaa6d477..a91a0e7c7 100644
--- a/java/google/registry/env/common/default/WEB-INF/web.xml
+++ b/java/google/registry/env/common/default/WEB-INF/web.xml
@@ -25,17 +25,6 @@
     <url-pattern>/registrar-xhr</url-pattern>
   </servlet-mapping>
 
-  <servlet>
-    <display-name>Registrar Self-serve Settings</display-name>
-    <servlet-name>registrar-settings</servlet-name>
-    <servlet-class>google.registry.ui.server.registrar.RegistrarServlet</servlet-class>
-    <load-on-startup>1</load-on-startup>
-  </servlet>
-  <servlet-mapping>
-    <servlet-name>registrar-settings</servlet-name>
-    <url-pattern>/registrar-settings</url-pattern>
-  </servlet-mapping>
-
   <!-- Registrar Console. -->
   <servlet-mapping>
     <servlet-name>frontend-servlet</servlet-name>
@@ -54,6 +43,12 @@
     <url-pattern>/registrar-payment</url-pattern>
   </servlet-mapping>
 
+  <!-- Registrar Self-serve Settings. -->
+  <servlet-mapping>
+    <servlet-name>frontend-servlet</servlet-name>
+    <url-pattern>/registrar-settings</url-pattern>
+  </servlet-mapping>
+
   <!-- HTTP WHOIS. -->
   <servlet-mapping>
     <servlet-name>frontend-servlet</servlet-name>
diff --git a/java/google/registry/module/frontend/FrontendRequestComponent.java b/java/google/registry/module/frontend/FrontendRequestComponent.java
index c1e506191..1c36ac6ea 100644
--- a/java/google/registry/module/frontend/FrontendRequestComponent.java
+++ b/java/google/registry/module/frontend/FrontendRequestComponent.java
@@ -36,6 +36,7 @@ import google.registry.rdap.RdapNameserverSearchAction;
 import google.registry.request.RequestModule;
 import google.registry.request.RequestScope;
 import google.registry.ui.server.registrar.ConsoleUiAction;
+import google.registry.ui.server.registrar.RegistrarAction;
 import google.registry.ui.server.registrar.RegistrarPaymentAction;
 import google.registry.ui.server.registrar.RegistrarPaymentSetupAction;
 import google.registry.ui.server.registrar.RegistrarUserModule;
@@ -65,6 +66,7 @@ interface FrontendRequestComponent {
   RdapAutnumAction rdapAutnumAction();
   RegistrarPaymentAction registrarPaymentAction();
   RegistrarPaymentSetupAction registrarPaymentSetupAction();
+  RegistrarAction registrarAction();
   RdapDomainAction rdapDomainAction();
   RdapDomainSearchAction rdapDomainSearchAction();
   RdapEntityAction rdapEntityAction();
diff --git a/java/google/registry/request/JsonActionRunner.java b/java/google/registry/request/JsonActionRunner.java
index 81d550741..72e7dfd7f 100644
--- a/java/google/registry/request/JsonActionRunner.java
+++ b/java/google/registry/request/JsonActionRunner.java
@@ -35,9 +35,13 @@ public final class JsonActionRunner {
     Map<String, ?> handleJsonRequest(Map<String, ?> json);
   }
 
-  @Inject @JsonPayload Map<String, Object> payload;
-  @Inject JsonResponse response;
-  @Inject JsonActionRunner() {}
+  @JsonPayload Map<String, Object> payload;
+  JsonResponse response;
+
+  @Inject public JsonActionRunner(@JsonPayload Map<String, Object> payload, JsonResponse response) {
+    this.payload = payload;
+    this.response = response;
+  }
 
   /** Delegates request to {@code action}. */
   public void run(JsonAction action) {
diff --git a/java/google/registry/security/BUILD b/java/google/registry/security/BUILD
index 1100907d5..af3c1f2c0 100644
--- a/java/google/registry/security/BUILD
+++ b/java/google/registry/security/BUILD
@@ -28,16 +28,3 @@ java_library(
         "//java/google/registry/util",
     ],
 )
-
-java_library(
-    name = "servlets",
-    srcs = glob(["*Servlet.java"]),
-    deps = [
-        ":security",
-        "//java/com/google/common/base",
-        "//third_party/java/appengine:appengine-api",
-        "//third_party/java/joda_time",
-        "//third_party/java/servlet/servlet_api",
-        "//java/google/registry/request",
-    ],
-)
diff --git a/java/google/registry/security/JsonTransportServlet.java b/java/google/registry/security/JsonTransportServlet.java
deleted file mode 100644
index 36c9e009b..000000000
--- a/java/google/registry/security/JsonTransportServlet.java
+++ /dev/null
@@ -1,74 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.security;
-
-import static com.google.common.base.Preconditions.checkNotNull;
-import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-
-import google.registry.request.HttpException;
-import java.io.IOException;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * Secure servlet that speaks JSON for both input and output.
- *
- * <p>This servlet accepts only JSON inputs (using the payload) and returns only JSON
- * responses, using and various security best practices such as a parser breaker,
- * {@code Content-Disposition: attachment}, etc.
- *
- * @see JsonHttp
- */
-public abstract class JsonTransportServlet extends XsrfProtectedServlet {
-
-  protected JsonTransportServlet(String xsrfScope, boolean requireAdmin) {
-    super(xsrfScope, requireAdmin);
-  }
-
-  /**
-   * Verify that this is a well-formed request and then execute it. A well-formed request will have
-   * either a JSON string in the "json" param that evaluates to a map, or nothing in "json".
-   */
-  @Override
-  protected final void doPost(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
-    Map<String, ?> input = JsonHttp.read(req);
-    if (input == null) {
-      rsp.sendError(SC_BAD_REQUEST, "Malformed JSON");
-      return;
-    }
-    Map<String, ?> output;
-    try {
-      output = doJsonPost(req, input);
-    } catch (HttpException e) {
-      e.send(rsp);
-      return;
-    }
-    checkNotNull(output, "doJsonPost() returned null");
-    rsp.setStatus(SC_OK);
-    JsonHttp.write(rsp, output);
-  }
-
-  /**
-   * Handler for HTTP POST requests.
-   *
-   * @param req Servlet request object.
-   * @param input JSON request object or empty if none was provided.
-   * @return an arbitrary JSON object. Must not be {@code null}.
-   * @throws HttpException in order to send a non-200 status code / message to the client.
-   */
-  public abstract Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input);
-}
diff --git a/java/google/registry/security/XsrfProtectedServlet.java b/java/google/registry/security/XsrfProtectedServlet.java
deleted file mode 100644
index 93a81b955..000000000
--- a/java/google/registry/security/XsrfProtectedServlet.java
+++ /dev/null
@@ -1,83 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.security;
-
-import static com.google.appengine.api.users.UserServiceFactory.getUserService;
-import static com.google.common.base.Preconditions.checkNotNull;
-import static com.google.common.base.Strings.nullToEmpty;
-import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
-import static google.registry.security.XsrfTokenManager.validateToken;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-
-import com.google.appengine.api.users.UserService;
-import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.joda.time.Duration;
-
-/**
- * Servlet with Cross-Site Request Forgery (XSRF) protection.
- *
- * <p>This servlet enforces XSRF protection on all requests by checking the value provided in the
- * "X-CSRF-Token" header. It can also optionally enforce that only admin users can call it.
- *
- * <p>All servlets that handle client requests should use XSRF protection.
- */
-public abstract class XsrfProtectedServlet extends HttpServlet {
-
-  private static final Duration XSRF_VALIDITY = Duration.standardDays(1);
-
-  /** Used to validate XSRF tokens. */
-  private String xsrfScope;
-
-  /** Whether to do a security check for admin status. */
-  private boolean requireAdmin;
-
-  /** Gets the XSRF scope for this servlet. */
-  public String getScope() {
-    return xsrfScope;
-  }
-
-  protected XsrfProtectedServlet(String xsrfScope, boolean requireAdmin) {
-    this.xsrfScope = checkNotNull(xsrfScope);
-    this.requireAdmin = requireAdmin;
-  }
-
-  @Override
-  public final void service(HttpServletRequest req, HttpServletResponse rsp)
-      throws IOException, ServletException {
-    if (!validateToken(nullToEmpty(req.getHeader(X_CSRF_TOKEN)), xsrfScope, XSRF_VALIDITY)) {
-      rsp.sendError(SC_FORBIDDEN, "Invalid " + X_CSRF_TOKEN);
-      return;
-    }
-    if (!validateAdmin()) {
-      rsp.sendError(SC_FORBIDDEN, "Administrator access only");
-      return;
-    }
-    doPost(req, rsp);
-  }
-
-  /**
-   * If this is an admin-only servlet, require admin permissions or being in development mode. Such
-   * servlets should primarily be defended by being marked internal-only in web.xml, but it's worth
-   * adding a defense-in-depth.
-   */
-  private boolean validateAdmin() {
-    UserService userService = getUserService();
-    return requireAdmin ? (userService.isUserLoggedIn() && userService.isUserAdmin()) : true;
-  }
-}
diff --git a/java/google/registry/ui/server/registrar/BUILD b/java/google/registry/ui/server/registrar/BUILD
index c54308f57..0ff786be9 100644
--- a/java/google/registry/ui/server/registrar/BUILD
+++ b/java/google/registry/ui/server/registrar/BUILD
@@ -26,7 +26,6 @@ java_library(
         "//java/google/registry/model",
         "//java/google/registry/request",
         "//java/google/registry/security",
-        "//java/google/registry/security:servlets",
         "//java/google/registry/ui/forms",
         "//java/google/registry/ui/server",
         "//java/google/registry/ui/soy:soy_java_wrappers",
diff --git a/java/google/registry/ui/server/registrar/RegistrarServlet.java b/java/google/registry/ui/server/registrar/RegistrarAction.java
similarity index 74%
rename from java/google/registry/ui/server/registrar/RegistrarServlet.java
rename to java/google/registry/ui/server/registrar/RegistrarAction.java
index fc750dbf2..5fa86f61a 100644
--- a/java/google/registry/ui/server/registrar/RegistrarServlet.java
+++ b/java/google/registry/ui/server/registrar/RegistrarAction.java
@@ -18,23 +18,29 @@ import static com.google.common.collect.Iterables.any;
 import static com.google.common.collect.Iterables.concat;
 import static com.google.common.collect.Sets.difference;
 import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
 
 import com.google.common.base.Function;
+import com.google.common.base.Optional;
 import com.google.common.base.Predicate;
 import com.google.common.collect.FluentIterable;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Multimap;
 import com.googlecode.objectify.Work;
-import google.registry.config.RegistryConfig;
-import google.registry.config.RegistryEnvironment;
+import google.registry.config.ConfigModule.Config;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarContact;
+import google.registry.request.Action;
+import google.registry.request.HttpException.BadRequestException;
+import google.registry.request.JsonActionRunner;
 import google.registry.security.JsonResponseHelper;
 import google.registry.ui.forms.FormException;
+import google.registry.ui.forms.FormFieldException;
 import google.registry.ui.server.RegistrarFormFields;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.CollectionUtils;
@@ -44,15 +50,33 @@ import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;
+import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
 
 /**
  * Admin servlet that allows creating or updating a registrar. Deletes are not allowed so as to
  * preserve history.
  */
-public class RegistrarServlet extends ResourceServlet {
+@Action(
+    path = RegistrarAction.PATH,
+    requireLogin = true,
+    xsrfProtection = true,
+    xsrfScope = "console",
+    method = Action.Method.POST)
+public class RegistrarAction implements Runnable, JsonActionRunner.JsonAction {
 
-  private static final RegistryConfig CONFIG = RegistryEnvironment.get().config();
+  public static final String PATH = "/registrar-settings";
+
+  private static final String OP_PARAM = "op";
+  private static final String ARGS_PARAM = "args";
+
+  @Inject HttpServletRequest request;
+  @Inject SessionUtils sessionUtils;
+  @Inject JsonActionRunner jsonActionRunner;
+  @Inject Registrar initialRegistrar;
+  @Inject @Config("registrarChangesNotificationEmailAddresses") ImmutableList<String>
+      registrarChangesNotificationEmailAddresses;
+  @Inject RegistrarAction() {}
 
   private static final Predicate<RegistrarContact> HAS_PHONE = new Predicate<RegistrarContact>() {
     @Override
@@ -71,25 +95,20 @@ public class RegistrarServlet extends ResourceServlet {
     }
   }
 
-  @Override
-  public Map<String, Object> read(HttpServletRequest req, Map<String, ?> args) {
-    String clientId = sessionUtils.getRegistrarClientId(req);
-    Registrar registrar = getCheckedRegistrar(clientId);
+  public Map<String, Object> read(Map<String, ?> args, Registrar registrar) {
     return JsonResponseHelper.create(SUCCESS, "Success", registrar.toJsonMap());
   }
 
-  @Override
-  Map<String, Object> update(HttpServletRequest req, final Map<String, ?> args) {
-    final String clientId = sessionUtils.getRegistrarClientId(req);
+  Map<String, Object> update(final Map<String, ?> args, final Registrar registrar) {
+    final String clientId = sessionUtils.getRegistrarClientId(request);
     return ofy().transact(new Work<Map<String, Object>>() {
       @Override
       public Map<String, Object> run() {
-        Registrar existingRegistrar = getCheckedRegistrar(clientId);
-        ImmutableSet<RegistrarContact> oldContacts = existingRegistrar.getContacts();
+        ImmutableSet<RegistrarContact> oldContacts = registrar.getContacts();
         Map<String, Object> existingRegistrarMap =
-            expandRegistrarWithContacts(existingRegistrar, oldContacts);
-        Registrar.Builder builder = existingRegistrar.asBuilder();
-        ImmutableSet<RegistrarContact> updatedContacts = update(existingRegistrar, builder, args);
+            expandRegistrarWithContacts(oldContacts, registrar);
+        Registrar.Builder builder = registrar.asBuilder();
+        ImmutableSet<RegistrarContact> updatedContacts = update(registrar, builder, args);
         if (!updatedContacts.isEmpty()) {
           builder.setContactsRequireSyncing(true);
         }
@@ -102,7 +121,7 @@ public class RegistrarServlet extends ResourceServlet {
         // Update the registrar map with updated contacts to bypass Objectify caching issues that
         // come into play with calling getContacts().
         Map<String, Object> updatedRegistrarMap =
-            expandRegistrarWithContacts(updatedRegistrar, updatedContacts);
+            expandRegistrarWithContacts(updatedContacts, updatedRegistrar);
         sendExternalUpdatesIfNecessary(
             updatedRegistrar.getRegistrarName(),
             existingRegistrarMap,
@@ -114,8 +133,8 @@ public class RegistrarServlet extends ResourceServlet {
       }});
   }
 
-  private Map<String, Object> expandRegistrarWithContacts(
-      Registrar registrar, Iterable<RegistrarContact> contacts) {
+  private Map<String, Object> expandRegistrarWithContacts(Iterable<RegistrarContact> contacts,
+                                                          Registrar registrar) {
     ImmutableSet<Map<String, Object>> expandedContacts = FluentIterable.from(contacts)
         .transform(new Function<RegistrarContact, Map<String, Object>>() {
           @Override
@@ -146,21 +165,15 @@ public class RegistrarServlet extends ResourceServlet {
       return;
     }
     SyncRegistrarsSheetAction.enqueueBackendTask();
-    ImmutableList<String> toEmailAddress = CONFIG.getRegistrarChangesNotificationEmailAddresses();
-    if (!toEmailAddress.isEmpty()) {
+    if (!registrarChangesNotificationEmailAddresses.isEmpty()) {
       SendEmailUtils.sendEmail(
-          toEmailAddress,
+          registrarChangesNotificationEmailAddresses,
           String.format("Registrar %s updated", registrarName),
           "The following changes were made to the registrar:\n"
               + DiffUtils.prettyPrintDiffedMap(diffs, null));
     }
   }
 
-  private Registrar getCheckedRegistrar(String clientId) {
-    return checkExists(Registrar.loadByClientId(clientId),
-        "No registrar exists with the given client id: " + clientId);
-  }
-
   /**
    * Enforces business logic checks on registrar contacts.
    *
@@ -255,4 +268,42 @@ public class RegistrarServlet extends ResourceServlet {
 
     return contacts.build();
   }
+
+  @Override
+  public Map<String, Object> handleJsonRequest(Map<String, ?> input) {
+    if (input == null) {
+      throw new BadRequestException("Malformed JSON");
+    }
+
+    if (!sessionUtils.checkRegistrarConsoleLogin(request)) {
+      return JsonResponseHelper.create(ERROR, "Not authorized to access Registrar Console");
+    }
+
+    // Process the operation.  Though originally derived from a CRUD
+    // handlder, registrar-settings really only supports read and update.
+    String op = Optional.fromNullable((String) input.get(OP_PARAM)).or("read");
+    @SuppressWarnings("unchecked")
+    Map<String, ?> args = (Map<String, Object>)
+        Optional.<Object>fromNullable(input.get(ARGS_PARAM)).or(ImmutableMap.of());
+    try {
+      switch (op) {
+        case "update":
+          return update(args, initialRegistrar);
+        case "read":
+          return read(args, initialRegistrar);
+        default:
+          return JsonResponseHelper.create(ERROR, "Unknown or unsupported operation: " + op);
+      }
+    } catch (FormFieldException e) {
+      return JsonResponseHelper.createFormFieldError(e.getMessage(), e.getFieldName());
+    } catch (FormException ee) {
+      return JsonResponseHelper.create(ERROR, ee.getMessage());
+    }
+
+  }
+
+  @Override
+  public void run() {
+    jsonActionRunner.run(this);
+  }
 }
diff --git a/java/google/registry/ui/server/registrar/ResourceServlet.java b/java/google/registry/ui/server/registrar/ResourceServlet.java
deleted file mode 100644
index 65bae194a..000000000
--- a/java/google/registry/ui/server/registrar/ResourceServlet.java
+++ /dev/null
@@ -1,105 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.ui.server.registrar;
-
-import static com.google.appengine.api.users.UserServiceFactory.getUserService;
-import static google.registry.flows.EppConsoleAction.XSRF_SCOPE;
-import static google.registry.security.JsonResponseHelper.Status.ERROR;
-
-import com.google.common.base.Optional;
-import com.google.common.collect.ImmutableMap;
-import google.registry.request.HttpException.NotFoundException;
-import google.registry.security.JsonResponseHelper;
-import google.registry.security.JsonTransportServlet;
-import google.registry.ui.forms.FormException;
-import google.registry.ui.forms.FormFieldException;
-import google.registry.util.NonFinalForTesting;
-import java.util.Map;
-import javax.annotation.Nullable;
-import javax.servlet.http.HttpServletRequest;
-
-/** A servlet for callbacks that manipulate resources. */
-public abstract class ResourceServlet extends JsonTransportServlet {
-
-  private static final String OP_PARAM = "op";
-  private static final String ARGS_PARAM = "args";
-
-  @NonFinalForTesting
-  protected static SessionUtils sessionUtils = new SessionUtils(getUserService());
-
-  public ResourceServlet() {
-    super(XSRF_SCOPE, false);
-  }
-
-  @Override
-  public Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> params) {
-    if (!sessionUtils.isLoggedIn()) {
-      return JsonResponseHelper.create(ERROR, "Not logged in");
-    }
-    if (!sessionUtils.checkRegistrarConsoleLogin(req)) {
-      return JsonResponseHelper.create(ERROR, "Not authorized to access Registrar Console");
-    }
-    String op = Optional.fromNullable((String) params.get(OP_PARAM)).or("read");
-    @SuppressWarnings("unchecked")
-    Map<String, ?> args = (Map<String, Object>)
-        Optional.<Object>fromNullable(params.get(ARGS_PARAM)).or(ImmutableMap.of());
-    try {
-      switch (op) {
-        case "create":
-          return create(req, args);
-        case "update":
-          return update(req, args);
-        case "delete":
-          return delete(req, args);
-        case "read":
-          return read(req, args);
-        default:
-          return JsonResponseHelper.create(ERROR, "Unknown operation: " + op);
-      }
-    } catch (FormFieldException e) {
-      return JsonResponseHelper.createFormFieldError(e.getMessage(), e.getFieldName());
-    } catch (FormException ee) {
-      return JsonResponseHelper.create(ERROR, ee.getMessage());
-    }
-  }
-
-  @SuppressWarnings("unused")
-  Map<String, Object> create(HttpServletRequest req, Map<String, ?> args) {
-    throw new UnsupportedOperationException();
-  }
-
-  @SuppressWarnings("unused")
-  Map<String, Object> read(HttpServletRequest req, Map<String, ?> args) {
-    throw new UnsupportedOperationException();
-  }
-
-  @SuppressWarnings("unused")
-  Map<String, Object> update(HttpServletRequest req, Map<String, ?> args) {
-    throw new UnsupportedOperationException();
-  }
-
-  @SuppressWarnings("unused")
-  Map<String, Object> delete(HttpServletRequest req, Map<String, ?> args) {
-    throw new UnsupportedOperationException();
-  }
-
-  /** Like checkNotNull, but throws NotFoundException if given arg is null. */
-  protected static <T> T checkExists(@Nullable T obj, String msg) {
-    if (obj == null) {
-      throw new NotFoundException(msg);
-    }
-    return obj;
-  }
-}
diff --git a/javatests/google/registry/request/RequestModuleTest.java b/javatests/google/registry/request/RequestModuleTest.java
index d27ebed41..1d2deeda5 100644
--- a/javatests/google/registry/request/RequestModuleTest.java
+++ b/javatests/google/registry/request/RequestModuleTest.java
@@ -51,6 +51,12 @@ public final class RequestModuleTest {
     provideJsonPayload(MediaType.JSON_UTF_8, "{\"k\":");
   }
 
+  @Test
+  public void testProvideJsonPayload_emptyInput_throws500() throws Exception {
+    thrown.expect(BadRequestException.class, "Malformed JSON");
+    provideJsonPayload(MediaType.JSON_UTF_8, "");
+  }
+
   @Test
   public void testProvideJsonPayload_nonJsonContentType_throws415() throws Exception {
     thrown.expect(UnsupportedMediaTypeException.class);
diff --git a/javatests/google/registry/security/BUILD b/javatests/google/registry/security/BUILD
index dfa4a7a5f..2161b6f81 100644
--- a/javatests/google/registry/security/BUILD
+++ b/javatests/google/registry/security/BUILD
@@ -32,28 +32,10 @@ java_library(
     ],
 )
 
-java_library(
-    name = "servlets",
-    srcs = glob(["*ServletTest.java"]),
-    deps = [
-        "//java/com/google/common/collect",
-        "//java/com/google/common/net",
-        "//third_party/java/junit",
-        "//third_party/java/mockito",
-        "//third_party/java/servlet/servlet_api",
-        "//third_party/java/truth",
-        "//java/google/registry/request",
-        "//java/google/registry/security",
-        "//java/google/registry/security:servlets",
-        "//javatests/google/registry/testing",
-    ],
-)
-
 GenTestRules(
     name = "GeneratedTestRules",
     test_files = glob(["*Test.java"]),
     deps = [
         ":security",
-        ":servlets",
     ],
 )
diff --git a/javatests/google/registry/security/JsonHttpTestUtils.java b/javatests/google/registry/security/JsonHttpTestUtils.java
index 63b2272a6..1b8ba79b3 100644
--- a/javatests/google/registry/security/JsonHttpTestUtils.java
+++ b/javatests/google/registry/security/JsonHttpTestUtils.java
@@ -43,8 +43,8 @@ public final class JsonHttpTestUtils {
   }
 
   /**
-   * Returns JSON data parsed out of a JsonTransportServlet response stored in the given writer.
-   * If the data will be fetched multiple times, consider {@link #createJsonResponseSupplier}.
+   * Returns JSON data parsed out of the contents of the given writer. If the data will be fetched
+   * multiple times, consider {@link #createJsonResponseSupplier}.
    *
    * <p>Example Mockito usage:<pre>  {@code
    *
diff --git a/javatests/google/registry/security/JsonTransportServletTest.java b/javatests/google/registry/security/JsonTransportServletTest.java
deleted file mode 100644
index 9ef1588bb..000000000
--- a/javatests/google/registry/security/JsonTransportServletTest.java
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.security;
-
-import static com.google.common.net.HttpHeaders.CONTENT_DISPOSITION;
-import static com.google.common.net.HttpHeaders.X_CONTENT_TYPE_OPTIONS;
-import static com.google.common.net.MediaType.JSON_UTF_8;
-import static com.google.common.truth.Truth.assertThat;
-import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.mockito.Matchers.anyString;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import com.google.common.collect.ImmutableMap;
-import google.registry.request.HttpException;
-import google.registry.testing.AppEngineRule;
-import google.registry.testing.ExceptionRule;
-import java.io.BufferedReader;
-import java.io.PrintWriter;
-import java.io.StringReader;
-import java.io.StringWriter;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.runners.MockitoJUnitRunner;
-
-/** Unit tests for {@link JsonTransportServlet}. */
-@RunWith(MockitoJUnitRunner.class)
-public class JsonTransportServletTest {
-
-  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .build();
-
-  @Rule
-  public final ExceptionRule thrown = new ExceptionRule();
-
-  private StringWriter writer = new StringWriter();
-
-  @Mock
-  HttpServletRequest req;
-
-  @Mock
-  HttpServletResponse rsp;
-
-  static class TestServlet extends JsonTransportServlet {
-    private Map<String, Object> responseMap;
-
-    TestServlet(Map<String, Object> responseMap) {
-      super("foo", false);
-      this.responseMap = responseMap;
-    }
-
-    @Override
-    public Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input) {
-      return responseMap;
-    }
-  }
-
-  private void verifySuccess(String json) {
-    verify(rsp).setStatus(SC_OK);
-    verify(rsp).setHeader(CONTENT_DISPOSITION, "attachment");
-    verify(rsp).setHeader(X_CONTENT_TYPE_OPTIONS, "nosniff");
-    verify(rsp).setContentType(JSON_UTF_8.toString());
-    assertThat(writer.toString()).isEqualTo(")]}'\n" + json);
-  }
-
-  private void doSuccessfulTest(
-      String requestJson, Map<String, Object> responseMap) throws Exception {
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getContentType()).thenReturn(JSON_UTF_8.toString());
-    when(req.getReader()).thenReturn(new BufferedReader(new StringReader(requestJson)));
-    when(rsp.getWriter()).thenReturn(new PrintWriter(writer));
-    new TestServlet(responseMap).doPost(req, rsp);
-    verifySuccess("{\"a\":1}");
-  }
-
-  private void verifyFailure(int error) throws Exception {
-    verify(rsp).sendError(eq(error), anyString());
-  }
-
-  @Test
-  public void testSuccess() throws Exception {
-    doSuccessfulTest("{\"key\":\"value\"}", ImmutableMap.<String, Object>of("a", 1));
-  }
-
-  @Test
-  public void testDoJsonPost_returnsNull_notAllowed() throws Exception {
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getContentType()).thenReturn(JSON_UTF_8.toString());
-    when(req.getReader()).thenReturn(new BufferedReader(new StringReader("{\"key\":\"value\"}")));
-    when(rsp.getWriter()).thenReturn(new PrintWriter(writer));
-    thrown.expect(NullPointerException.class);
-    new TestServlet(null).doPost(req, rsp);
-  }
-
-  private void doInvalidRequestTest(String requestJson) throws Exception {
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getContentType()).thenReturn(JSON_UTF_8.toString());
-    when(req.getReader()).thenReturn(new BufferedReader(new StringReader(requestJson)));
-    new TestServlet(null).doPost(req, rsp);
-    verifyFailure(SC_BAD_REQUEST);
-  }
-
-  @Test
-  public void testSuccess_emptyJsonNotAllowed() throws Exception {
-    doInvalidRequestTest("");
-  }
-
-  @Test
-  public void testFailure_badJson() throws Exception {
-    doInvalidRequestTest("{}{}");
-  }
-
-  @Test
-  public void testFailure_nonObjectJson_null() throws Exception {
-    doInvalidRequestTest("null");
-  }
-
-  @Test
-  public void testFailure_nonObjectJson_array() throws Exception {
-    doInvalidRequestTest("[]");
-  }
-
-  @Test
-  public void testErrorMessagesAreEscaped() throws Exception {
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getReader()).thenReturn(new BufferedReader(new StringReader("{}")));
-    when(req.getContentType()).thenReturn(JSON_UTF_8.toString());
-    new TestServlet(null) {
-      @Override
-      public Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input) {
-        throw new HttpException(123, "<script>", null){};
-      }}.doPost(req, rsp);
-    verify(rsp).sendError(123, "&lt;script&gt;");
-  }
-}
diff --git a/javatests/google/registry/security/XsrfProtectedServletTest.java b/javatests/google/registry/security/XsrfProtectedServletTest.java
deleted file mode 100644
index 7ffea83c0..000000000
--- a/javatests/google/registry/security/XsrfProtectedServletTest.java
+++ /dev/null
@@ -1,105 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.security;
-
-import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
-import static google.registry.security.XsrfTokenManager.generateToken;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.mockito.Matchers.anyString;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import google.registry.testing.AppEngineRule;
-import google.registry.testing.UserInfo;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.runners.MockitoJUnitRunner;
-
-/** Unit tests for {@link XsrfProtectedServlet}. */
-@RunWith(MockitoJUnitRunner.class)
-public class XsrfProtectedServletTest {
-
-  @Rule
-  public final AppEngineRule appEngine = AppEngineRule.builder()
-      .withDatastore()
-      .withUserService(UserInfo.create("test@example.com", "test@example.com"))
-      .build();
-
-  @Mock
-  HttpServletRequest req;
-
-  @Mock
-  HttpServletResponse rsp;
-
-  XsrfProtectedServlet servlet = new XsrfProtectedServlet("foo", false) {
-      @Override
-      protected void doPost(HttpServletRequest req, HttpServletResponse rsp) {
-        rsp.setStatus(SC_OK);
-      }};
-
-  String validXsrfToken;
-
-  @Before
-  public void init() {
-    this.validXsrfToken = generateToken("foo");
-  }
-
-  private void setup(String xsrf, String method) throws Exception {
-    when(req.getHeader(X_CSRF_TOKEN)).thenReturn(xsrf);
-    when(req.getMethod()).thenReturn(method);
-    when(req.getServletPath()).thenReturn("");
-  }
-
-  @Test
-  public void testSuccess() throws Exception {
-    setup(validXsrfToken, "post");
-    servlet.service(req, rsp);
-    verify(rsp).setStatus(SC_OK);
-  }
-
-  private void doInvalidRequestTest(String xsrf) throws Exception {
-    setup(xsrf, "post");
-    servlet.service(req, rsp);
-    verify(rsp).sendError(eq(SC_FORBIDDEN), anyString());
-  }
-
-  @Test
-  public void testFailure_badXsrfToken() throws Exception {
-    doInvalidRequestTest("foo");
-  }
-
-  @Test
-  public void testFailure_missingXsrfToken() throws Exception {
-    doInvalidRequestTest(null);
-  }
-
-  @Test
-  public void testFailure_notAdmin() throws Exception {
-    setup(validXsrfToken, "post");
-    new XsrfProtectedServlet("foo", true) {
-      @Override
-      protected void doPost(HttpServletRequest req, HttpServletResponse rsp) {
-        rsp.setStatus(SC_OK);
-      }}.service(req, rsp);
-    verify(rsp).sendError(eq(SC_FORBIDDEN), anyString());
-  }
-}
diff --git a/javatests/google/registry/server/RegistryTestServer.java b/javatests/google/registry/server/RegistryTestServer.java
index 6e9a1ffe9..bbbf59ffd 100644
--- a/javatests/google/registry/server/RegistryTestServer.java
+++ b/javatests/google/registry/server/RegistryTestServer.java
@@ -79,7 +79,7 @@ public final class RegistryTestServer {
       // Registrar Console
       route("/registrar", google.registry.module.frontend.FrontendServlet.class),
       route("/registrar-settings",
-          google.registry.ui.server.registrar.RegistrarServlet.class),
+          google.registry.module.frontend.FrontendServlet.class),
       route("/registrar-payment",
           google.registry.module.frontend.FrontendServlet.class),
       route("/registrar-payment-setup",
diff --git a/javatests/google/registry/ui/server/registrar/BUILD b/javatests/google/registry/ui/server/registrar/BUILD
index 8cef6379c..80a46e93a 100644
--- a/javatests/google/registry/ui/server/registrar/BUILD
+++ b/javatests/google/registry/ui/server/registrar/BUILD
@@ -32,6 +32,7 @@ java_library(
         "//java/google/registry/config",
         "//java/google/registry/export/sheet",
         "//java/google/registry/model",
+        "//java/google/registry/request",
         "//java/google/registry/security",
         "//java/google/registry/ui/server/registrar",
         "//java/google/registry/ui/soy/registrar:soy_java_wrappers",
diff --git a/javatests/google/registry/ui/server/registrar/ContactSettingsTest.java b/javatests/google/registry/ui/server/registrar/ContactSettingsTest.java
index 75d323cd4..c74c6f210 100644
--- a/javatests/google/registry/ui/server/registrar/ContactSettingsTest.java
+++ b/javatests/google/registry/ui/server/registrar/ContactSettingsTest.java
@@ -15,10 +15,8 @@
 package google.registry.ui.server.registrar;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.security.JsonHttpTestUtils.createJsonPayload;
 import static google.registry.testing.DatastoreHelper.persistResource;
 import static google.registry.testing.DatastoreHelper.persistSimpleResource;
-import static org.mockito.Mockito.when;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
@@ -34,33 +32,31 @@ import org.junit.runner.RunWith;
 import org.mockito.runners.MockitoJUnitRunner;
 
 /**
- * Unit tests for contact_settings.js use of {@link RegistrarServlet}.
+ * Unit tests for contact_settings.js use of {@link RegistrarAction}.
  *
  * <p>The default read and session validation tests are handled by the
  * superclass.
  */
 @RunWith(MockitoJUnitRunner.class)
-public class ContactSettingsTest extends RegistrarServletTestCase {
+public class ContactSettingsTest extends RegistrarActionTestCase {
 
   @Test
   public void testPost_readContacts_success() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "read",
-        "args", ImmutableMap.of())));
-    servlet.service(req, rsp);
+        "args", ImmutableMap.of()));
     @SuppressWarnings("unchecked")
-    List<Map<String, ?>> results = (List<Map<String, ?>>) json.get().get("results");
+    List<Map<String, ?>> results = (List<Map<String, ?>>) response.get("results");
     assertThat(results.get(0).get("contacts"))
         .isEqualTo(Registrar.loadByClientId(CLIENT_ID).toJsonMap().get("contacts"));
   }
 
   @Test
   public void testPost_loadSaveRegistrar_success() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", Registrar.loadByClientId(CLIENT_ID).toJsonMap())));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
+        "args", Registrar.loadByClientId(CLIENT_ID).toJsonMap()));
+    assertThat(response).containsEntry("status", "SUCCESS");
   }
 
   @Test
@@ -77,11 +73,10 @@ public class ContactSettingsTest extends RegistrarServletTestCase {
     Registrar registrar = Registrar.loadByClientId(CLIENT_ID);
     Map<String, Object> regMap = registrar.toJsonMap();
     regMap.put("contacts", ImmutableList.of(adminContact1));
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", regMap)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
+        "args", regMap));
+    assertThat(response).containsEntry("status", "SUCCESS");
 
     RegistrarContact newContact = new RegistrarContact.Builder()
         .setParent(registrar)
@@ -102,12 +97,11 @@ public class ContactSettingsTest extends RegistrarServletTestCase {
             .asBuilder()
             .setTypes(ImmutableList.<RegistrarContact.Type>of())
             .build().toJsonMap()));
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", reqJson)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("message", "Must have at least one "
+        "args", reqJson));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("message", "Must have at least one "
         + RegistrarContact.Type.ADMIN.getDisplayName() + " contact");
   }
 
@@ -127,12 +121,11 @@ public class ContactSettingsTest extends RegistrarServletTestCase {
     rc = rc.asBuilder().setPhoneNumber(null).build();
     Map<String, Object> reqJson = registrar.toJsonMap();
     reqJson.put("contacts", ImmutableList.of(rc.toJsonMap()));
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", reqJson)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("message", "At least one "
+        "args", reqJson));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("message", "At least one "
         + RegistrarContact.Type.TECH.getDisplayName() + " contact must have a phone number");
   }
 }
diff --git a/javatests/google/registry/ui/server/registrar/RegistrarActionTest.java b/javatests/google/registry/ui/server/registrar/RegistrarActionTest.java
new file mode 100644
index 000000000..dcfa96f8d
--- /dev/null
+++ b/javatests/google/registry/ui/server/registrar/RegistrarActionTest.java
@@ -0,0 +1,125 @@
+// Copyright 2016 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.registrar;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.testing.TaskQueueHelper.assertNoTasksEnqueued;
+import static google.registry.testing.TaskQueueHelper.assertTasksEnqueued;
+import static google.registry.util.ResourceUtils.readResourceUtf8;
+import static java.util.Arrays.asList;
+import static org.mockito.Mockito.anyInt;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import com.google.common.collect.ImmutableMap;
+import google.registry.export.sheet.SyncRegistrarsSheetAction;
+import google.registry.model.registrar.Registrar;
+import google.registry.testing.ExceptionRule;
+import google.registry.testing.TaskQueueHelper.TaskMatcher;
+import java.util.Map;
+import javax.mail.internet.InternetAddress;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+
+/** Tests for {@link RegistrarAction}. */
+@RunWith(MockitoJUnitRunner.class)
+public class RegistrarActionTest extends RegistrarActionTestCase {
+
+  @Rule
+  public final ExceptionRule  thrown = new ExceptionRule();
+
+  @Test
+  public void testSuccess_updateRegistrarInfo_andSendsNotificationEmail() throws Exception {
+    String expectedEmailBody = readResourceUtf8(getClass(), "testdata/update_registrar_email.txt");
+    action.handleJsonRequest(readJsonFromFile("testdata/update_registrar.json"));
+    verify(rsp, never()).setStatus(anyInt());
+    verify(emailService).createMessage();
+    verify(emailService).sendMessage(message);
+    assertThat(message.getAllRecipients()).asList().containsExactly(
+        new InternetAddress("notification@test.example"),
+        new InternetAddress("notification2@test.example"));
+    assertThat(message.getContent()).isEqualTo(expectedEmailBody);
+    assertTasksEnqueued("sheet", new TaskMatcher()
+        .url(SyncRegistrarsSheetAction.PATH)
+        .method("GET")
+        .header("Host", "backend.hostname"));
+  }
+
+  @Test
+  public void testFailure_updateRegistrarInfo_duplicateContacts() throws Exception {
+    Map<String, Object> response = action.handleJsonRequest(
+        readJsonFromFile("testdata/update_registrar_duplicate_contacts.json"));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat((String) response.get("message")).startsWith("One email address");
+  }
+
+  @Test
+  public void testRead_notAuthorized_failure() throws Exception {
+    when(sessionUtils.checkRegistrarConsoleLogin(req)).thenReturn(false);
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of());
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat((String) response.get("message")).startsWith("Not authorized");
+    assertNoTasksEnqueued("sheet");
+  }
+
+  /**
+   * This is the default read test for the registrar settings actions.
+   */
+  @Test
+  public void testRead_authorized_returnsRegistrarJson() throws Exception {
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of());
+    assertThat(response).containsEntry("status", "SUCCESS");
+    assertThat(response).containsEntry("results", asList(
+        Registrar.loadByClientId(CLIENT_ID).toJsonMap()));
+  }
+
+  @Test
+  public void testUpdate_emptyJsonObject_errorEmailFieldRequired() throws Exception {
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update",
+        "args", ImmutableMap.of()));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("field", "emailAddress");
+    assertThat(response).containsEntry("message", "This field is required.");
+    assertNoTasksEnqueued("sheet");
+  }
+
+  @Test
+  public void testUpdate_badEmail_errorEmailField() throws Exception {
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update",
+        "args", ImmutableMap.of(
+            "emailAddress", "lolcat")));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("field", "emailAddress");
+    assertThat(response).containsEntry("message", "Please enter a valid email address.");
+    assertNoTasksEnqueued("sheet");
+  }
+
+  @Test
+  public void testPost_nonAsciiCharacters_getsAngry() throws Exception {
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update",
+        "args", ImmutableMap.of(
+            "emailAddress", "ヘ(◕。◕ヘ)@example.com")));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("field", "emailAddress");
+    assertThat(response).containsEntry("message", "Please only use ASCII-US characters.");
+    assertNoTasksEnqueued("sheet");
+  }
+}
diff --git a/javatests/google/registry/ui/server/registrar/RegistrarServletTestCase.java b/javatests/google/registry/ui/server/registrar/RegistrarActionTestCase.java
similarity index 75%
rename from javatests/google/registry/ui/server/registrar/RegistrarServletTestCase.java
rename to javatests/google/registry/ui/server/registrar/RegistrarActionTestCase.java
index e322c5131..d14e6622e 100644
--- a/javatests/google/registry/ui/server/registrar/RegistrarServletTestCase.java
+++ b/javatests/google/registry/ui/server/registrar/RegistrarActionTestCase.java
@@ -17,14 +17,20 @@ package google.registry.ui.server.registrar;
 import static google.registry.security.JsonHttpTestUtils.createJsonPayload;
 import static google.registry.security.JsonHttpTestUtils.createJsonResponseSupplier;
 import static google.registry.security.XsrfTokenManager.generateToken;
+import static google.registry.util.ResourceUtils.readResourceUtf8;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.when;
 
 import com.google.appengine.api.modules.ModulesService;
 import com.google.common.base.Supplier;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.ofy.Ofy;
+import google.registry.model.registrar.Registrar;
+import google.registry.request.JsonActionRunner;
+import google.registry.request.JsonResponse;
+import google.registry.request.ResponseImpl;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.ExceptionRule;
 import google.registry.testing.FakeClock;
@@ -41,15 +47,17 @@ import javax.mail.internet.MimeMessage;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.joda.time.DateTime;
+import org.json.simple.JSONValue;
+import org.json.simple.parser.ParseException;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 
-/** Base class for tests using {@link RegistrarServlet}. */
+/** Base class for tests using {@link RegistrarAction}. */
 @RunWith(MockitoJUnitRunner.class)
-public class RegistrarServletTestCase {
+public class RegistrarActionTestCase {
 
   static final String CLIENT_ID = "TheRegistrar";
 
@@ -71,26 +79,32 @@ public class RegistrarServletTestCase {
   @Mock
   HttpServletResponse rsp;
 
-  @Mock
-  SessionUtils sessionUtils;
-
   @Mock
   SendEmailService emailService;
 
   @Mock
   ModulesService modulesService;
 
+  @Mock
+  SessionUtils sessionUtils;
+
   Message message;
 
-  final RegistrarServlet servlet = new RegistrarServlet();
+  final RegistrarAction action = new RegistrarAction();
   final StringWriter writer = new StringWriter();
   final Supplier<Map<String, Object>> json = createJsonResponseSupplier(writer);
   final FakeClock clock = new FakeClock(DateTime.parse("2014-01-01T00:00:00Z"));
 
   @Before
   public void setUp() throws Exception {
+    action.request = req;
+    action.sessionUtils = sessionUtils;
+    action.initialRegistrar = Registrar.loadByClientId(CLIENT_ID);
+    action.jsonActionRunner = new JsonActionRunner(
+        ImmutableMap.<String, Object>of(), new JsonResponse(new ResponseImpl(rsp)));
+    action.registrarChangesNotificationEmailAddresses = ImmutableList.of(
+        "notification@test.example", "notification2@test.example");
     inject.setStaticField(Ofy.class, "clock", clock);
-    inject.setStaticField(ResourceServlet.class, "sessionUtils", sessionUtils);
     inject.setStaticField(SendEmailUtils.class, "emailService", emailService);
     inject.setStaticField(SyncRegistrarsSheetAction.class, "modulesService", modulesService);
     message = new MimeMessage(Session.getDefaultInstance(new Properties(), null));
@@ -105,4 +119,13 @@ public class RegistrarServletTestCase {
     when(sessionUtils.getRegistrarClientId(req)).thenReturn(CLIENT_ID);
     when(modulesService.getVersionHostname("backend", null)).thenReturn("backend.hostname");
   }
+
+  protected Map<String, Object> readJsonFromFile(String filename) {
+    String contents = readResourceUtf8(getClass(), filename);
+    try {
+      return (Map<String, Object>) JSONValue.parseWithException(contents);
+    } catch (ParseException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
 }
diff --git a/javatests/google/registry/ui/server/registrar/RegistrarServletTest.java b/javatests/google/registry/ui/server/registrar/RegistrarServletTest.java
deleted file mode 100644
index e7d916b39..000000000
--- a/javatests/google/registry/ui/server/registrar/RegistrarServletTest.java
+++ /dev/null
@@ -1,168 +0,0 @@
-// Copyright 2016 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.ui.server.registrar;
-
-import static com.google.common.truth.Truth.assertThat;
-import static google.registry.security.JsonHttpTestUtils.createJsonPayload;
-import static google.registry.testing.TaskQueueHelper.assertNoTasksEnqueued;
-import static google.registry.testing.TaskQueueHelper.assertTasksEnqueued;
-import static google.registry.util.ResourceUtils.readResourceUtf8;
-import static java.util.Arrays.asList;
-import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import com.google.common.collect.ImmutableMap;
-import google.registry.export.sheet.SyncRegistrarsSheetAction;
-import google.registry.model.registrar.Registrar;
-import google.registry.testing.TaskQueueHelper.TaskMatcher;
-import javax.mail.internet.InternetAddress;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-
-/** Tests for {@link RegistrarServlet}. */
-@RunWith(MockitoJUnitRunner.class)
-public class RegistrarServletTest extends RegistrarServletTestCase {
-
-  @Test
-  public void testSuccess_updateRegistrarInfo_andSendsNotificationEmail() throws Exception {
-    String jsonPostData = readResourceUtf8(getClass(), "testdata/update_registrar.json");
-    String expectedEmailBody = readResourceUtf8(getClass(), "testdata/update_registrar_email.txt");
-    when(req.getReader()).thenReturn(createJsonPayload(jsonPostData));
-    servlet.service(req, rsp);
-    verify(rsp).setStatus(SC_OK);
-    verify(emailService).createMessage();
-    verify(emailService).sendMessage(message);
-    assertThat(message.getAllRecipients()).asList().containsExactly(
-        new InternetAddress("notification@test.example"),
-        new InternetAddress("notification2@test.example"));
-    assertThat(message.getContent()).isEqualTo(expectedEmailBody);
-    assertTasksEnqueued("sheet", new TaskMatcher()
-        .url(SyncRegistrarsSheetAction.PATH)
-        .method("GET")
-        .header("Host", "backend.hostname"));
-  }
-
-  @Test
-  public void testFailure_updateRegistrarInfo_duplicateContacts() throws Exception {
-    String jsonPostData =
-        readResourceUtf8(getClass(), "testdata/update_registrar_duplicate_contacts.json");
-    when(req.getReader()).thenReturn(createJsonPayload(jsonPostData));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat((String) json.get().get("message")).startsWith("One email address");
-  }
-
-  @Test
-  public void testRead_missingXsrfToken_failure() throws Exception {
-    when(req.getHeader(eq("X-CSRF-Token"))).thenReturn("");
-    servlet.service(req, rsp);
-    verify(rsp).sendError(403, "Invalid X-CSRF-Token");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testRead_invalidXsrfToken_failure() throws Exception {
-    when(req.getHeader(eq("X-CSRF-Token"))).thenReturn("humbug");
-    servlet.service(req, rsp);
-    verify(rsp).sendError(403, "Invalid X-CSRF-Token");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testRead_notLoggedIn_failure() throws Exception {
-    when(sessionUtils.isLoggedIn()).thenReturn(false);
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("message", "Not logged in");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testRead_notAuthorized_failure() throws Exception {
-    when(sessionUtils.checkRegistrarConsoleLogin(req)).thenReturn(false);
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat((String) json.get().get("message")).startsWith("Not authorized");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testRead_emptyPayload_failure() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(""));
-    servlet.service(req, rsp);
-    verify(rsp).sendError(400, "Malformed JSON");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  /**
-   * This is the default read test for the registrar settings servlets.
-   */
-  @Test
-  public void testRead_authorized_returnsRegistrarJson() throws Exception {
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
-    assertThat(json.get()).containsEntry("results", asList(
-        Registrar.loadByClientId(CLIENT_ID).toJsonMap()));
-  }
-
-  @Test
-  public void testRead_authorized_nilClientId_failure() throws Exception {
-    String nilClientId = "doesnotexist";
-    when(sessionUtils.getRegistrarClientId(req)).thenReturn(nilClientId);
-    servlet.service(req, rsp);
-    verify(rsp).sendError(404, "No registrar exists with the given client id: " + nilClientId);
-  }
-
-  @Test
-  public void testUpdate_emptyJsonObject_errorEmailFieldRequired() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
-        "op", "update",
-        "args", ImmutableMap.of())));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("field", "emailAddress");
-    assertThat(json.get()).containsEntry("message", "This field is required.");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testUpdate_badEmail_errorEmailField() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
-        "op", "update",
-        "args", ImmutableMap.of(
-            "emailAddress", "lolcat"))));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("field", "emailAddress");
-    assertThat(json.get()).containsEntry("message", "Please enter a valid email address.");
-    assertNoTasksEnqueued("sheet");
-  }
-
-  @Test
-  public void testPost_nonAsciiCharacters_getsAngry() throws Exception {
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
-        "op", "update",
-        "args", ImmutableMap.of(
-            "emailAddress", "ヘ(◕。◕ヘ)@example.com"))));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("field", "emailAddress");
-    assertThat(json.get()).containsEntry("message", "Please only use ASCII-US characters.");
-    assertNoTasksEnqueued("sheet");
-  }
-}
diff --git a/javatests/google/registry/ui/server/registrar/SecuritySettingsTest.java b/javatests/google/registry/ui/server/registrar/SecuritySettingsTest.java
index 6576a0310..b9acab890 100644
--- a/javatests/google/registry/ui/server/registrar/SecuritySettingsTest.java
+++ b/javatests/google/registry/ui/server/registrar/SecuritySettingsTest.java
@@ -15,15 +15,12 @@
 package google.registry.ui.server.registrar;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.security.JsonHttpTestUtils.createJsonPayload;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT2;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT2_HASH;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT_HASH;
-import static google.registry.testing.DatastoreHelper.persistResource;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static java.util.Arrays.asList;
-import static org.mockito.Mockito.when;
 
 import com.google.common.collect.ImmutableMap;
 import google.registry.config.RegistryEnvironment;
@@ -34,31 +31,30 @@ import org.junit.runner.RunWith;
 import org.mockito.runners.MockitoJUnitRunner;
 
 /**
- * Unit tests for security_settings.js use of {@link RegistrarServlet}.
+ * Unit tests for security_settings.js use of {@link RegistrarAction}.
  *
  * <p>The default read and session validation tests are handled by the
  * superclass.
  */
 @RunWith(MockitoJUnitRunner.class)
-public class SecuritySettingsTest extends RegistrarServletTestCase {
+public class SecuritySettingsTest extends RegistrarActionTestCase {
 
   @Test
   public void testPost_updateCert_success() throws Exception {
     Registrar modified = Registrar.loadByClientId(CLIENT_ID).asBuilder()
         .setClientCertificate(SAMPLE_CERT, clock.nowUtc())
         .build();
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", modified.toJsonMap())));
-    servlet.service(req, rsp);
+        "args", modified.toJsonMap()));
     // Empty whoisServer and referralUrl fields should be set to defaults by server.
     modified = modified.asBuilder()
         .setWhoisServer(RegistryEnvironment.get().config().getRegistrarDefaultWhoisServer())
         .setReferralUrl(
             RegistryEnvironment.get().config().getRegistrarDefaultReferralUrl().toString())
         .build();
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
-    assertThat(json.get()).containsEntry("results", asList(modified.toJsonMap()));
+    assertThat(response).containsEntry("status", "SUCCESS");
+    assertThat(response).containsEntry("results", asList(modified.toJsonMap()));
     assertThat(Registrar.loadByClientId(CLIENT_ID)).isEqualTo(modified);
   }
 
@@ -66,12 +62,11 @@ public class SecuritySettingsTest extends RegistrarServletTestCase {
   public void testPost_updateCert_failure() throws Exception {
     Map<String, Object> reqJson = Registrar.loadByClientId(CLIENT_ID).toJsonMap();
     reqJson.put("clientCertificate", "BLAH");
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", reqJson)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "ERROR");
-    assertThat(json.get()).containsEntry("message", "Invalid X.509 PEM certificate");
+        "args", reqJson));
+    assertThat(response).containsEntry("status", "ERROR");
+    assertThat(response).containsEntry("message", "Invalid X.509 PEM certificate");
   }
 
   @Test
@@ -79,10 +74,9 @@ public class SecuritySettingsTest extends RegistrarServletTestCase {
     Map<String, Object> jsonMap = Registrar.loadByClientId(CLIENT_ID).toJsonMap();
     jsonMap.put("clientCertificate", SAMPLE_CERT);
     jsonMap.put("failoverClientCertificate", null);
-    when(req.getReader()).thenReturn(
-        createJsonPayload(ImmutableMap.of("op", "update", "args", jsonMap)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update", "args", jsonMap));
+    assertThat(response).containsEntry("status", "SUCCESS");
     Registrar registrar = Registrar.loadByClientId(CLIENT_ID);
     assertThat(registrar.getClientCertificate()).isEqualTo(SAMPLE_CERT);
     assertThat(registrar.getClientCertificateHash()).isEqualTo(SAMPLE_CERT_HASH);
@@ -94,10 +88,9 @@ public class SecuritySettingsTest extends RegistrarServletTestCase {
   public void testChangeFailoverCertificate() throws Exception {
     Map<String, Object> jsonMap = Registrar.loadByClientId(CLIENT_ID).toJsonMap();
     jsonMap.put("failoverClientCertificate", SAMPLE_CERT2);
-    when(req.getReader()).thenReturn(
-        createJsonPayload(ImmutableMap.of("op", "update", "args", jsonMap)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update", "args", jsonMap));
+    assertThat(response).containsEntry("status", "SUCCESS");
     Registrar registrar = Registrar.loadByClientId(CLIENT_ID);
     assertThat(registrar.getFailoverClientCertificate()).isEqualTo(SAMPLE_CERT2);
     assertThat(registrar.getFailoverClientCertificateHash()).isEqualTo(SAMPLE_CERT2_HASH);
@@ -105,18 +98,17 @@ public class SecuritySettingsTest extends RegistrarServletTestCase {
 
   @Test
   public void testEmptyOrNullCertificate_doesNotClearOutCurrentOne() throws Exception {
-    persistResource(
+    action.initialRegistrar =
         Registrar.loadByClientId(CLIENT_ID).asBuilder()
             .setClientCertificate(SAMPLE_CERT, START_OF_TIME)
             .setFailoverClientCertificate(SAMPLE_CERT2, START_OF_TIME)
-            .build());
-    Map<String, Object> jsonMap = Registrar.loadByClientId(CLIENT_ID).toJsonMap();
+            .build();
+    Map<String, Object> jsonMap = action.initialRegistrar.toJsonMap();
     jsonMap.put("clientCertificate", null);
     jsonMap.put("failoverClientCertificate", "");
-    when(req.getReader()).thenReturn(
-        createJsonPayload(ImmutableMap.of("op", "update", "args", jsonMap)));
-    servlet.service(req, rsp);
-    assertThat(json.get()).containsEntry("status", "SUCCESS");
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
+        "op", "update", "args", jsonMap));
+    assertThat(response).containsEntry("status", "SUCCESS");
     Registrar registrar = Registrar.loadByClientId(CLIENT_ID);
     assertThat(registrar.getClientCertificate()).isEqualTo(SAMPLE_CERT);
     assertThat(registrar.getClientCertificateHash()).isEqualTo(SAMPLE_CERT_HASH);
diff --git a/javatests/google/registry/ui/server/registrar/WhoisSettingsTest.java b/javatests/google/registry/ui/server/registrar/WhoisSettingsTest.java
index 77cdf45a2..c614e3607 100644
--- a/javatests/google/registry/ui/server/registrar/WhoisSettingsTest.java
+++ b/javatests/google/registry/ui/server/registrar/WhoisSettingsTest.java
@@ -16,25 +16,24 @@ package google.registry.ui.server.registrar;
 
 import static com.google.common.base.Strings.repeat;
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.security.JsonHttpTestUtils.createJsonPayload;
 import static java.util.Arrays.asList;
-import static org.mockito.Mockito.when;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
+import java.util.Map;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.runners.MockitoJUnitRunner;
 
 /**
- * Unit tests for security_settings.js use of {@link RegistrarServlet}.
+ * Unit tests for security_settings.js use of {@link RegistrarAction}.
  *
  * <p>The default read and session validation tests are handled by the superclass.
  */
 @RunWith(MockitoJUnitRunner.class)
-public class WhoisSettingsTest extends RegistrarServletTestCase {
+public class WhoisSettingsTest extends RegistrarActionTestCase {
 
   @Test
   public void testPost_update_success() throws Exception {
@@ -52,12 +51,11 @@ public class WhoisSettingsTest extends RegistrarServletTestCase {
             .setCountryCode("US")
             .build())
         .build();
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", modified.toJsonMap())));
-    servlet.service(req, rsp);
-    assertThat(json.get().get("status")).isEqualTo("SUCCESS");
-    assertThat(json.get().get("results")).isEqualTo(asList(modified.toJsonMap()));
+        "args", modified.toJsonMap()));
+    assertThat(response.get("status")).isEqualTo("SUCCESS");
+    assertThat(response.get("results")).isEqualTo(asList(modified.toJsonMap()));
     assertThat(Registrar.loadByClientId(CLIENT_ID)).isEqualTo(modified);
   }
 
@@ -75,13 +73,12 @@ public class WhoisSettingsTest extends RegistrarServletTestCase {
             .setCountryCode("US")
             .build())
         .build();
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", modified.toJsonMap())));
-    servlet.service(req, rsp);
-    assertThat(json.get().get("status")).isEqualTo("ERROR");
-    assertThat(json.get().get("field")).isEqualTo("localizedAddress.state");
-    assertThat(json.get().get("message")).isEqualTo("Unknown US state code.");
+        "args", modified.toJsonMap()));
+    assertThat(response.get("status")).isEqualTo("ERROR");
+    assertThat(response.get("field")).isEqualTo("localizedAddress.state");
+    assertThat(response.get("message")).isEqualTo("Unknown US state code.");
     assertThat(Registrar.loadByClientId(CLIENT_ID)).isNotEqualTo(modified);
   }
 
@@ -99,13 +96,12 @@ public class WhoisSettingsTest extends RegistrarServletTestCase {
             .setCountryCode("US")
             .build())
         .build();
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", modified.toJsonMap())));
-    servlet.service(req, rsp);
-    assertThat(json.get().get("status")).isEqualTo("ERROR");
-    assertThat(json.get().get("field")).isEqualTo("localizedAddress.street[1]");
-    assertThat((String) json.get().get("message"))
+        "args", modified.toJsonMap()));
+    assertThat(response.get("status")).isEqualTo("ERROR");
+    assertThat(response.get("field")).isEqualTo("localizedAddress.street[1]");
+    assertThat((String) response.get("message"))
         .contains("Number of characters (600) not in range");
     assertThat(Registrar.loadByClientId(CLIENT_ID)).isNotEqualTo(modified);
   }
@@ -115,13 +111,12 @@ public class WhoisSettingsTest extends RegistrarServletTestCase {
     Registrar modified = Registrar.loadByClientId(CLIENT_ID).asBuilder()
         .setWhoisServer("tears@dry.tragical.lol")
         .build();
-    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of(
+    Map<String, Object> response = action.handleJsonRequest(ImmutableMap.of(
         "op", "update",
-        "args", modified.toJsonMap())));
-    servlet.service(req, rsp);
-    assertThat(json.get().get("status")).isEqualTo("ERROR");
-    assertThat(json.get().get("field")).isEqualTo("whoisServer");
-    assertThat(json.get().get("message")).isEqualTo("Not a valid hostname.");
+        "args", modified.toJsonMap()));
+    assertThat(response.get("status")).isEqualTo("ERROR");
+    assertThat(response.get("field")).isEqualTo("whoisServer");
+    assertThat(response.get("message")).isEqualTo("Not a valid hostname.");
     assertThat(Registrar.loadByClientId(CLIENT_ID)).isNotEqualTo(modified);
   }
 }