Package org.forgerock.json.resource.http

Class SecurityContextFactory

java.lang.Object
org.forgerock.json.resource.http.SecurityContextFactory
All Implemented Interfaces:
HttpContextFactory
@Deprecated public final class SecurityContextFactory extends Object implements HttpContextFactory
Deprecated.
This class will be removed once CAF has been migrated fully to CHF, at which point components should create SecurityContexts directly rather than via request attributes.
An HTTP context factory which will create a SecurityContext whose authentication ID and authorization ID are taken from attributes contained in the HTTP request.

This class provides integration with the common authentication framework and is intended to work as follows:

  1. An incoming HTTP request is first intercepted by a HTTP filter responsible for authenticating the request.
  2. If authentication is successful, the authentication filter determines the set of principals associated with the user which may be required in order to perform authorization. These principals may include the user's unique ID, realm, groups, roles, or LDAP DN, etc.
  3. The authentication filter constructs a Map<String, Object> containing the principals keyed on the principal name. NOTE: various reserved principal names are defined in SecurityContext.
  4. The authentication filter stores the authentication ID (the name which the user identified themselves with during authentication) in the HTTP servlet request's ATTRIBUTE_AUTHCID attribute.
  5. The authentication filter stores the Map containing the authorization principals in the HTTP servlet request's ATTRIBUTE_AUTHZID attribute.
  6. The JSON Resource Handler uses the SecurityContextFactory to obtain the authentication ID and authorization principals from the HTTP request's attributes.
The following code illustrates how an authentication HTTP filter can populate the attributes: 
 
 public Promise<Response, ResponseException> filter(Context context, Request request, Handler next) {
     // Authenticate the user.
     String authcid = getUserName(request);
     String password = getPassword(request);

     // Add the attributes.
     if (checkCredentials(authcid, password)) {
         // Obtain principals for authorization.
         Map<String, Object> authzid = new HashMap<>();
         authzid.put(AUTHZID_ID, id);
         ...

         AttributesContext attributesContext = context.asContext(AttributesContext.class);
         attributesContext.getAttributes().put(ATTRIBUTE_AUTHCID, authcid);
         attributesContext.getAttributes().put(ATTRIBUTE_AUTHZID, authzid);
     }
 }

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    ATTRIBUTE_AUTHCID
    Deprecated.
    The name of the HTTP Request attribute where this factory expects to find the authenticated user's authentication ID.
    static final String
    ATTRIBUTE_AUTHZID
    Deprecated.
    The name of the HTTP Request attribute where this factory expects to find the authenticated user's authorization ID.

  • Method Summary

    Modifier and Type
    Method
    Description
    org.forgerock.services.context.SecurityContext
    createContext(org.forgerock.services.context.Context parent)
    Deprecated.
    Creates a new SecurityContext using the attributes contained in the provided HTTP request.
    org.forgerock.services.context.SecurityContext
    createContext(org.forgerock.services.context.Context context, org.forgerock.http.protocol.Request request)
    Deprecated.
    Creates a new SecurityContext using the attributes contained in the provided HTTP request.
    static SecurityContextFactory
    getHttpServletContextFactory()
    Deprecated.
    Returns the singleton security context factory which can be used for obtaining context information from a HTTP request.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • ATTRIBUTE_AUTHCID

      public static final String ATTRIBUTE_AUTHCID
      Deprecated.
      The name of the HTTP Request attribute where this factory expects to find the authenticated user's authentication ID. The name of this attribute is org.forgerock.authentication.principal and it MUST contain a String if it is present.
      See Also:

    • ATTRIBUTE_AUTHZID

      public static final String ATTRIBUTE_AUTHZID
      Deprecated.
      The name of the HTTP Request attribute where this factory expects to find the authenticated user's authorization ID. The name of this attribute is org.forgerock.authentication.context and it MUST contain a Map<String, Object> if it is present.
      See Also:

  • Method Details

    • getHttpServletContextFactory

      public static SecurityContextFactory getHttpServletContextFactory()
      Deprecated.
      Returns the singleton security context factory which can be used for obtaining context information from a HTTP request.
      Returns:
      The singleton security context factory.

    • createContext

      public org.forgerock.services.context.SecurityContext createContext(org.forgerock.services.context.Context parent) throws ResourceException
      Deprecated.
      Creates a new SecurityContext using the attributes contained in the provided HTTP request. The authentication ID will be obtained from the ATTRIBUTE_AUTHCID attribute, and the authorization ID will be obtained from the ATTRIBUTE_AUTHCID attribute.

      It is not an error if either of the attributes are not present, but a ResourceException will be thrown if they are present but have the wrong type.

      Parameters:
      parent - The parent context.
      Returns:
      A security context initialized using the attributes contained in the provided HTTP request.
      Throws:
      ResourceException - If one of the attributes was present but had the wrong type.

    • createContext

      public org.forgerock.services.context.SecurityContext createContext(org.forgerock.services.context.Context context, org.forgerock.http.protocol.Request request) throws ResourceException
      Deprecated.
      Creates a new SecurityContext using the attributes contained in the provided HTTP request. The authentication ID will be obtained from the ATTRIBUTE_AUTHCID attribute, and the authorization ID will be obtained from the ATTRIBUTE_AUTHCID attribute.

      It is not an error if either of the attributes are not present, but a ResourceException will be thrown if they are present but have the wrong type.

      Specified by:
      createContext in interface HttpContextFactory
      Parameters:
      context - The parent context.
      request - The HTTP request from which the authentication ID and authorization ID attributes should be obtained.
      Returns:
      A security context initialized using the attributes contained in the provided HTTP request.
      Throws:
      ResourceException - If one of the attributes was present but had the wrong type.