Package org.forgerock.json.resource.http

Class SecurityContextFactory

  • All Implemented Interfaces:
    HttpContextFactory
    @Deprecated
public final class SecurityContextFactory
extends Object
implements HttpContextFactory
    Deprecated.
    This class will be removed once CAF has been migrated fully to CHF, at which point components should create SecurityContexts directly rather than via request attributes.
    An HTTP context factory which will create a SecurityContext whose authentication ID and authorization ID are taken from attributes contained in the HTTP request.

    This class provides integration with the common authentication framework and is intended to work as follows:

    1. An incoming HTTP request is first intercepted by a HTTP filter responsible for authenticating the request.
    2. If authentication is successful, the authentication filter determines the set of principals associated with the user which may be required in order to perform authorization. These principals may include the user's unique ID, realm, groups, roles, or LDAP DN, etc.
    3. The authentication filter constructs a Map<String, Object> containing the principals keyed on the principal name. NOTE: various reserved principal names are defined in SecurityContext.
    4. The authentication filter stores the authentication ID (the name which the user identified themselves with during authentication) in the HTTP servlet request's ATTRIBUTE_AUTHCID attribute.
    5. The authentication filter stores the Map containing the authorization principals in the HTTP servlet request's ATTRIBUTE_AUTHZID attribute.
    6. The JSON Resource Handler uses the SecurityContextFactory to obtain the authentication ID and authorization principals from the HTTP request's attributes.
    The following code illustrates how an authentication HTTP filter can populate the attributes: 
     
 public Promise<Response, ResponseException> filter(Context context, Request request, Handler next) {
     // Authenticate the user.
     String authcid = getUserName(request);
     String password = getPassword(request);

     // Add the attributes.
     if (checkCredentials(authcid, password)) {
         // Obtain principals for authorization.
         Map<String, Object> authzid = new HashMap<>();
         authzid.put(AUTHZID_ID, id);
         ...

         AttributesContext attributesContext = context.asContext(AttributesContext.class);
         attributesContext.getAttributes().put(ATTRIBUTE_AUTHCID, authcid);
         attributesContext.getAttributes().put(ATTRIBUTE_AUTHZID, authzid);
     }
 }

    • Field Detail

      • ATTRIBUTE_AUTHCID

        public static final String ATTRIBUTE_AUTHCID
        Deprecated.
        The name of the HTTP Request attribute where this factory expects to find the authenticated user's authentication ID. The name of this attribute is org.forgerock.authentication.principal and it MUST contain a String if it is present.
        See Also:
        SecurityContext.getAuthenticationId(), Constant Field Values

      • ATTRIBUTE_AUTHZID

        public static final String ATTRIBUTE_AUTHZID
        Deprecated.
        The name of the HTTP Request attribute where this factory expects to find the authenticated user's authorization ID. The name of this attribute is org.forgerock.authentication.context and it MUST contain a Map<String, Object> if it is present.
        See Also:
        SecurityContext.getAuthorization(), Constant Field Values

    • Method Detail

      • getHttpServletContextFactory

        public static SecurityContextFactory getHttpServletContextFactory()
        Deprecated.
        Returns the singleton security context factory which can be used for obtaining context information from a HTTP request.
        Returns:
        The singleton security context factory.

      • createContext

        public SecurityContext createContext​(Context parent)
                              throws ResourceException
        Deprecated.
        Creates a new SecurityContext using the attributes contained in the provided HTTP request. The authentication ID will be obtained from the ATTRIBUTE_AUTHCID attribute, and the authorization ID will be obtained from the ATTRIBUTE_AUTHCID attribute.

        It is not an error if either of the attributes are not present, but a ResourceException will be thrown if they are present but have the wrong type.

        Parameters:
        parent - The parent context.
        Returns:
        A security context initialized using the attributes contained in the provided HTTP request.
        Throws:
        ResourceException - If one of the attributes was present but had the wrong type.

      • createContext

        public SecurityContext createContext​(Context context,
                                     Request request)
                              throws ResourceException
        Deprecated.
        Creates a new SecurityContext using the attributes contained in the provided HTTP request. The authentication ID will be obtained from the ATTRIBUTE_AUTHCID attribute, and the authorization ID will be obtained from the ATTRIBUTE_AUTHCID attribute.

        It is not an error if either of the attributes are not present, but a ResourceException will be thrown if they are present but have the wrong type.

        Specified by:
        createContext in interface HttpContextFactory
        Parameters:
        context - The parent context.
        request - The HTTP request from which the authentication ID and authorization ID attributes should be obtained.
        Returns:
        A security context initialized using the attributes contained in the provided HTTP request.
        Throws:
        ResourceException - If one of the attributes was present but had the wrong type.