Package org.forgerock.services.context

Class SecurityContext

java.lang.Object
org.forgerock.services.context.AbstractContext
org.forgerock.services.context.SecurityContext
All Implemented Interfaces:
Context
public final class SecurityContext extends AbstractContext
A Context containing information about the client performing the request which may be used when performing authorization decisions. A security context will typically be created for each REST request and comprises of two fields:
  • an authentication ID which is the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used when performing authorization decisions.
  • an authorization ID which is a map containing additional principals associated with the client and which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN).
The following code illustrates how an application may obtain the realm associated with a user: 
 Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
 
 {
   "id"     : "56f0fb7e-3837-464d-b9ec-9d3b6af665c3",
   "class"  : "org.forgerock.services.context.SecurityContext",
   "parent" : {
       ...
   },
   "authenticationId" : "bjensen@example.com",
   "authorization" : {
       "id"        : "1230fb7e-f83b-464d-19ef-789b6af66456",
       "component" : "users",
       "roles"     : [
           "administrators"
       ],
       "dn"        : "cn=bjensen,ou=people,dc=example,dc=com"
   }
 }

  • Field Details

    • AUTHZID_COMPONENT

      public static final String AUTHZID_COMPONENT
      The authorization ID name reserved for the name of the component in which a user's resource is located, e.g. "users".
      See Also:

    • AUTHZID_DN

      public static final String AUTHZID_DN
      The authorization ID name reserved for the user's LDAP distinguished name.
      See Also:

    • AUTHZID_ID

      public static final String AUTHZID_ID
      The authorization ID principal name reserved for a user's unique identifier.
      See Also:

    • AUTHZID_REALM

      public static final String AUTHZID_REALM
      The authorization ID name reserved for a user's realm.
      See Also:

    • AUTHZID_ROLES

      public static final String AUTHZID_ROLES
      The authorization ID name reserved for the array of roles associated with the user.
      See Also:

  • Constructor Details

    • SecurityContext

      public SecurityContext(Context parent, String authenticationId, Map<String,Object> authorization)
      Creates a new security context having the provided parent and an ID automatically generated using UUID.randomUUID().
      Parameters:
      parent - The parent context.
      authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.
      authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

    • SecurityContext

      public SecurityContext(String id, Context parent, String authenticationId, Map<String,Object> authorization)
      Creates a new security context having the provided ID, and parent.
      Parameters:
      id - The context ID.
      parent - The parent context.
      authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.
      authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

    • SecurityContext

      public SecurityContext(JsonValue savedContext, ClassLoader classLoader)
      Restore from JSON representation.
      Parameters:
      savedContext - The JSON representation from which this context's attributes should be parsed.
      classLoader - The ClassLoader which can properly resolve the persisted class-name.

  • Method Details

    • getAuthenticationId

      public String getAuthenticationId()
      Returns the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used for authorization decisions.
      Returns:
      The principal that the client used during authentication, which may be empty (but never null) indicating that the client is unauthenticated.

    • getAuthorization

      public Map<String,Object> getAuthorization()
      Returns an unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN). The following code illustrates how an application may obtain the realm associated with a user: 
       Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
      Returns:
      An unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. The returned map may be empty (but never null) indicating that the client is is to be treated as an anonymous user.