Package org.forgerock.services.context

Class SecurityContext

  • All Implemented Interfaces:
    Context
    public final class SecurityContext
extends AbstractContext
    A Context containing information about the client performing the request which may be used when performing authorization decisions. A security context will typically be created for each REST request and comprises of two fields:
    • an authentication ID which is the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used when performing authorization decisions.
    • an authorization ID which is a map containing additional principals associated with the client and which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN).
    The following code illustrates how an application may obtain the realm associated with a user: 
     Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
 
     {
   "id"     : "56f0fb7e-3837-464d-b9ec-9d3b6af665c3",
   "class"  : "org.forgerock.services.context.SecurityContext",
   "parent" : {
       ...
   },
   "authenticationId" : "bjensen@example.com",
   "authorization" : {
       "id"        : "1230fb7e-f83b-464d-19ef-789b6af66456",
       "component" : "users",
       "roles"     : [
           "administrators"
       ],
       "dn"        : "cn=bjensen,ou=people,dc=example,dc=com"
   }
 }

    • Field Detail

      • AUTHZID_COMPONENT

        public static final String AUTHZID_COMPONENT
        The authorization ID name reserved for the name of the component in which a user's resource is located, e.g. "users".
        See Also:
        Constant Field Values

      • AUTHZID_DN

        public static final String AUTHZID_DN
        The authorization ID name reserved for the user's LDAP distinguished name.
        See Also:
        Constant Field Values

      • AUTHZID_ID

        public static final String AUTHZID_ID
        The authorization ID principal name reserved for a user's unique identifier.
        See Also:
        Constant Field Values

      • AUTHZID_REALM

        public static final String AUTHZID_REALM
        The authorization ID name reserved for a user's realm.
        See Also:
        Constant Field Values

      • AUTHZID_ROLES

        public static final String AUTHZID_ROLES
        The authorization ID name reserved for the array of roles associated with the user.
        See Also:
        Constant Field Values

    • Constructor Detail

      • SecurityContext

        public SecurityContext​(Context parent,
                       String authenticationId,
                       Map<String,​Object> authorization)
        Creates a new security context having the provided parent and an ID automatically generated using UUID.randomUUID().
        Parameters:
        parent - The parent context.
        authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.
        authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

      • SecurityContext

        public SecurityContext​(String id,
                       Context parent,
                       String authenticationId,
                       Map<String,​Object> authorization)
        Creates a new security context having the provided ID, and parent.
        Parameters:
        id - The context ID.
        parent - The parent context.
        authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.
        authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

      • SecurityContext

        public SecurityContext​(JsonValue savedContext,
                       ClassLoader classLoader)
        Restore from JSON representation.
        Parameters:
        savedContext - The JSON representation from which this context's attributes should be parsed.
        classLoader - The ClassLoader which can properly resolve the persisted class-name.

    • Method Detail

      • getAuthenticationId

        public String getAuthenticationId()
        Returns the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used for authorization decisions.
        Returns:
        The principal that the client used during authentication, which may be empty (but never null) indicating that the client is unauthenticated.

      • getAuthorization

        public Map<String,​Object> getAuthorization()
        Returns an unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN). The following code illustrates how an application may obtain the realm associated with a user: 
         Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
        Returns:
        An unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. The returned map may be empty (but never null) indicating that the client is is to be treated as an anonymous user.