--- title: Requests, responses, and contexts description: Contexts provide contextual information about the handled request, such as information about the client making the request, the session, the authentication or authorization identity of the principal, and any other state information associated with the request. Contexts provide a means to access state information throughout the duration of the HTTP session between the client and protected application, including when this involves interaction with additional services. component: pinggateway version: 7.2 page_id: pinggateway:reference:RequestsResponsesContexts canonical_url: https://docs.pingidentity.com/pinggateway/7.2/reference/RequestsResponsesContexts.html revdate: 2022-04-12T12:16:42Z section_ids: Attributes: AttributesContext Attributes-properties: Properties Attributes-moreinfo: More information AuthRedirectContext: AuthRedirectContext AuthRedirectContext-properties: Properties AuthRedirectContext-moreinfo: More information CapturedUserPasswordContext: CapturedUserPasswordContext CapturedUserPasswordContext-properties: Properties CapturedUserPasswordContext-moreinfo: More information Client: ClientContext Client-properties: Properties Client-moreinfo: More information Contexts: Contexts Contexts-properties: Properties Contexts-moreinfo: More information CdSsoContext: CdSsoContext CdSsoContext-properties: Properties CdSsoContext-moreinfo: More information CdSsoFailureContext: CdSsoFailureContext CdSsoFailureContext-properties: Properties CdSsoFailureContext-moreinfo: More information JwtBuilderContext: JwtBuilderContext JwtBuilderContext-properties: Properties JwtBuilderContext-moreinfo: More information JwtValidationContext: JwtValidationContext JwtValidationContext-properties: Properties JwtValidationContext-moreinfo: More information JwtValidationErrorContext: JwtValidationErrorContext JwtValidationErrorContext-properties: Properties JwtValidationErrorContext-moreinfo: More information OAuth2Context: OAuth2Context OAuth2Context-properties: Properties OAuth2Context-moreinfo: More information OAuth2TokenExchangeContext: OAuth2TokenExchangeContext OAuth2TokenExchangeContext-properties: Properties OAuth2TokenExchangeContext-moreinfo: More information OAuth2FailureContext: OAuth2FailureContext OAuth2FailureContext-properties: Properties OAuth2FailureContext-moreinfo: More information PolicyDecisionContext: PolicyDecisionContext PolicyDecisionContext-properties: Properties PolicyDecisionContext-moreinfo: More information Request: Request Request-properties: Properties Request-moreinfo: More information Response: Response Response-properties: Properties Response-moreinfo: More information Session: SessionContext Session-properties: Properties Session-moreinfo: More information SessionInfoContext: SessionInfoContext SessionInfoContext-properties: Properties SessionInfoContext-moreinfo: More information SsoTokenContext: SsoTokenContext SsoTokenContext-properties: Properties SsoTokenContext-moreinfo: More information Status: Status Status-properties: Properties Status-moreinfo: More information StsContext: StsContext StsContext-properties: Properties StsContext-moreinfo: More information TransactionIdContext: TransactionIdContext TransactionIdContext-properties: Properties TransactionIdContext-moreinfo: More information URI: URI URI-properties: Properties URI-moreinfo: More information UriRouterContext: UriRouterContext UriRouterContext-properties: Properties UriRouterContext-moreinfo: More information UserProfileContext: UserProfileContext UserProfileContext-propeties: Properties UserProfileContext-moreinfo: More information --- # Requests, responses, and contexts Contexts provide contextual information about the handled request, such as information about the client making the request, the session, the authentication or authorization identity of the principal, and any other state information associated with the request. Contexts provide a means to access state information throughout the duration of the HTTP session between the client and protected application, including when this involves interaction with additional services. Each filter can add to the contextual information by enriching the existing context (for example, by storing objects in sessions or attributes), or by providing a new context tailored for a specific purpose. Unlike session information, which spans multiple request/response exchanges, contexts last only for the duration of the request/response exchange, and are then lost. ## AttributesContext Provides a map for request attributes. When IG processes a single request, it injects transient state information about the request into this context. Attributes stored when processing one request are not accessible when processing a subsequent request. IG automatically provides access to the `attributes` field through the `attributes` bindings in expressions. For example, to access a username with an expression, use `${attributes.credentials.username}` instead of `${contexts.attributes.attributes.credentials.username}` Use [SessionContext](#Session) to maintain state between successive requests from the same logical client. ### Properties The context is named `attributes`, and is accessible at `${attributes}`. The context has the following property: * `"attributes"`: [map](preface.html#definition-map) Map of information conveyed between filters and handlers. Cannot be null. ### More information [org.forgerock.services.context.AttributesContext](../_attachments/apidocs/org/forgerock/services/context/AttributesContext.html) ## AuthRedirectContext Used by the FragmentFilter to indicate that a login redirect is pending. ### Properties * `"isImpendingIgRedirectNotified"`: boolean Returns `true` if a downstream filter notifies IG that it will redirect a login attempt. Otherwise, `false`. * `"notifyImpendingIgRedirect"` IG sets this context to `true` when a filter triggers a redirect which will be followed by a subsequent request to the original URI. For example, a request to `example.com/profile` triggers a login redirect to `example.com/login`. After authentication, the request is expected to be redirected to the original URI, `example.com/profile`. ### More information [FragmentFilter](Filters.html#FragmentFilter) [org.forgerock.openig.filter.AuthRedirectContext](../_attachments/apidocs/org/forgerock/openig/filter/AuthRedirectContext.html) [URI Fragment](https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Fragment) [Fragment RFC](https://www.rfc-editor.org/rfc/rfc3986#section-3.5) ## CapturedUserPasswordContext Provides the decrypted AM password of the current user. When the [CapturedUserPasswordFilter](Filters.html#CapturedUserPasswordFilter) processes a request, it injects the decrypted password from AM into this context. ### Properties The context is named `capturedPassword`, and is accessible at `${contexts.capturedPassword}`. The context has the following properties: * `"raw"`: byte\[] The decrypted password as bytes. * `"value"`: string The decrypted password as a UTF-8 string. ### More information [org.forgerock.openig.openam.CapturedUserPasswordContext](../_attachments/apidocs/org/forgerock/openig/openam/CapturedUserPasswordContext.html) ## ClientContext Information about the client sending a request. When IG receives a request, it injects information about the client sending the request into this context. ### Properties The context is named `client`, and is accessible at `${contexts.client}`. The context has the following properties: * `"certificates"`: array List of X.509 certificates presented by the client. If the client does not present any certificates, IG returns an empty list. Never `null`. * `"isExternal"`: boolean True if the client connection is external. * `"isSecure"`: boolean True if the client connection is secure. * `"localAddress"`: [string](preface.html#definition-string) The IP address of the interface that received the request. * `"localPort"`: number The port of the interface that received the request. * `"remoteAddress"`: string The IP address of the client (or the last proxy) that sent the request. * `"remotePort"`: number The source port of the client (or the last proxy) that sent the request. * `"remoteUser"`: string The login of the user making the request, or `null` if unknown. This is likely to be `null` unless you have deployed IG with a non-default deployment descriptor that secures the IG web application. * `"userAgent"`: string The value of the User-Agent HTTP header in the request if any, otherwise `null`. ### More information [org.forgerock.services.context.ClientContext](../_attachments/apidocs/org/forgerock/services/context/ClientContext.html) ## Contexts The root object for request context information. Contexts is a map of available contexts, which implement the [Context](../_attachments/apidocs/org/forgerock/services/context/Context.html) interface. The contexts map's keys are strings and the values are context objects. A context holds type-safe information useful for processing requests and responses. The `contexts` map is populated dynamically when creating bindings for evaluation of expressions and scripts. All context objects use their version of the following properties: * `"context-Name"`: string Name of the context. * `"context-ID"`: string Read-only string uniquely identifying the context object. * `"context-rootContext"`: boolean True if the context object is a RootContext (has no parent). * `"context-Parent"`: Context object Parent of this context object. ### Properties The contexts object can provide access to the following contexts for each request: * [AttributesContext](#Attributes) * [ClientContext](#Client) * [SessionContext](#Session) * [UriRouterContext](#UriRouterContext) * [TransactionIdContext](#TransactionIdContext) The contexts object can provide access to the following contexts when related filters are used: * [CapturedUserPasswordContext](#CapturedUserPasswordContext) * [CdSsoContext](#CdSsoContext) * [CdSsoFailureContext](#CdSsoFailureContext) * [JwtValidationContext](#JwtValidationContext) and [JwtValidationErrorContext](#JwtValidationErrorContext) * [JwtBuilderContext](#JwtBuilderContext) * [OAuth2Context](#OAuth2Context) * [OAuth2TokenExchangeContext](#OAuth2TokenExchangeContext) * [OAuth2FailureContext](#OAuth2FailureContext) * [PolicyDecisionContext](#PolicyDecisionContext) * [SessionInfoContext](#SessionInfoContext) * [SsoTokenContext](#SsoTokenContext) * [StsContext](#StsContext) * [UserProfileContext](#UserProfileContext) ### More information [org.forgerock.services.context.Context](../_attachments/apidocs/org/forgerock/services/context/Context.html) ## CdSsoContext Provides the cross-domain SSO properties for the CDSSO token, the user ID of the session, and the full claims set. When the [CrossDomainSingleSignOnFilter](Filters.html#CrossDomainSingleSignOnFilter) processes a request, it injects the information in this context. ### Properties The context is named `cdsso`, and is accessible at `${contexts.cdsso}`. The context has the following properties: * `"claimsSet"`: *[org.forgerock.json.jose.jwt.JwtClaimsSet](../_attachments/apidocs/org/forgerock/json/jose/jwt/JwtClaimsSet.html)* Full JwtClaimsSet for the identity of the authenticated user. Cannot be null. Access claims as follows: * Claims with a getter by using the property name. For example, access `getSubject` with `contexts.cdsso.claimsSet.subject`. * All other claims by using the `getClaim` method. For example, access `subname` with `contexts.cdsso.claimsSet.getClaim('subname')`. * `"cookieInfo"`: *[org.forgerock.openig.http.CookieBuilder](../_attachments/apidocs/org/forgerock/openig/http/CookieBuilder.html)* Configuration data for the CDSSO authentication cookie, with the following attributes: * `name`: Cookie name (string) * `domain`: (Optional) Cookie domain (string) * `path`: Cookie path (string) No attribute can be null. * `"redirectEndpoint"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* Redirect endpoint URI configured for communication with AM. Cannot be null. * `"sessionUid"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* Universal session ID. Cannot be null. * `"token"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* Value of the CDSSO token. Cannot be null. ### More information [org.forgerock.openig.openam.CdSsoContext](../_attachments/apidocs/org/forgerock/openig/openam/CdSsoContext.html) ## CdSsoFailureContext Contains the error details for any error that occurred during cross-domain SSO authentication. When the [CrossDomainSingleSignOnFilter](Filters.html#CrossDomainSingleSignOnFilter) processes a request, should an error occur that prevents authentication, the error details are captured in this context. ### Properties The context is named `cdssoFailure`, and is accessible at `${contexts.cdssoFailure}`. The context has the following properties: * `"error"`: *[string](preface.html#definition-string)* The error that occurred during authentication. Cannot be null. * `"description"`: *[string](preface.html#definition-string)* A description of the error that occurred during authentication. Cannot be null. * `"throwable"`: *Throwable* Any `Throwable` associated with the error that occured during authentication. Can be null. ### More information [org.forgerock.openig.openam.CdSsoFailureContext](../_attachments/apidocs/org/forgerock/openig/openam/CdSsoFailureContext.html) ## JwtBuilderContext When the [JwtBuilderFilter](Filters.html#JwtBuilderFilter) processes a request, it stores provided data in this context. This context returns the JWT as string, JsonValue, or map for downstream use. ### Properties The context is named `jwtBuilder`, and is accessible at `${contexts.jwtBuilder}`, with the following properties: * `"value"`: *[string](preface.html#definition-string)* The base64url encoded UTF-8 parts of the JWT, containing name-value pairs of data. Cannot be null. * `"claims"`: *[map](preface.html#definition-map)* JWT claims as a map, with the format `Map`. * `"claimsAsJsonValue"`: *[jsonvalue](preface.html#definition-jsonvalue)* JWT claims as a JsonValue. ### More information [org.forgerock.openig.filter.JwtBuilderFilter](../_attachments/apidocs/org/forgerock/openig/filter/JwtBuilderFilter.html) [org.forgerock.openig.filter.JwtBuilderContext](../_attachments/apidocs/org/forgerock/openig/filter/JwtBuilderContext.html) ## JwtValidationContext Provides the properties of a JWT after validation. When the [JwtValidationFilter](Filters.html#JwtValidationFilter) validates a JWT, or the [IdTokenValidationFilter](Filters.html#IdTokenValidationFilter) validates an id\_token, it injects a copy of the JWT and its claims into this context. ### Properties The context is named `jwtValidation`, and is accessible at `${contexts.jwtValidation}`. The context has the following properties: * `"value"`: *[string](preface.html#definition-string)* The value of the JWT. Cannot be null. * `"claims"`: *JWT claims set* A copy of the claims as a JwtClaimsSet. * `"info"`: *[map](preface.html#definition-map)* A copy of the claims as a map. * `"jwt"`: *JWT* A copy of the JWT. ### More information [org.forgerock.openig.filter.jwt.JwtValidationFilter](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationFilter.html) [org.forgerock.openig.filter.oauth2.client.IdTokenValidationFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/client/IdTokenValidationFilterHeaplet.html) [org.forgerock.openig.filter.jwt.JwtValidationContext](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationContext.html) [org.forgerock.openig.filter.jwt.JwtValidationErrorContext](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationErrorContext.html) ## JwtValidationErrorContext Provides the properties of a JWT after validation fails. When the [JwtValidationFilter](Filters.html#JwtValidationFilter) fails to validate a JWT, or the [IdTokenValidationFilter](Filters.html#IdTokenValidationFilter) fails to validate an id\_token, it injects the JWT and a list of violations into this context. ### Properties The context is named `jwtValidationError`, and is accessible at `${contexts.jwtValidationError}`. The context has the following properties: * `"jwt"`: *[string](preface.html#definition-string)* The value of the JWT. Cannot be null. * `"violations"`: *list of violations* An unmodifiable list of violations. For more information, see the [Violation](../_attachments/apidocs/org/forgerock/openig/tools/jwt/validation/Violation.html) class. ### More information [org.forgerock.openig.filter.jwt.JwtValidationFilter](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationFilter.html) [org.forgerock.openig.filter.oauth2.client.IdTokenValidationFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/client/IdTokenValidationFilterHeaplet.html) [org.forgerock.openig.filter.jwt.JwtValidationContext](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationContext.html) [org.forgerock.openig.filter.jwt.JwtValidationErrorContext](../_attachments/apidocs/org/forgerock/openig/filter/jwt/JwtValidationErrorContext.html) ## OAuth2Context Provides OAuth 2.0 access tokens. When the [OAuth2ResourceServerFilter](Filters.html#OAuth2ResourceServerFilter) processes a request, it injects the access token into this context. ### Properties The context name is `oauth2`, and is accessible at `${contexts.oauth2}`. The context has the following properties: * `"accessToken"`: AccessTokenInfo The AccessTokenInfo is built from the following properties: * `"info"`: (map\, object) Raw JSON as a map. * `"token"`: [string](preface.html#definition-string) Access token identifier issued from the authorization server. * `"scopes"`: space separated [string](preface.html#definition-string) Scopes associated to this token. * `"expiresAt"`: long Timestamp (in milliseconds since epoch) when the token expires. ### More information [org.forgerock.http.oauth2.OAuth2Context](../_attachments/apidocs/org/forgerock/http/oauth2/OAuth2Context.html) [org.forgerock.http.oauth2.AccessTokenInfo](../_attachments/apidocs/org/forgerock/http/oauth2/AccessTokenInfo.html) ## OAuth2TokenExchangeContext When the [OAuth2TokenExchangeFilter](Filters.html#OAuth2TokenExchangeFilter) succesfully issues a token, it injects the issued token and its scopes into this context. ### Properties The context name is `OAuth2TokenExchangeContext`, and is accessible at `${contexts.oauth2TokenExchange}`. The context has the following properties: * `"issuedToken"`: [string](preface.html#definition-string) The token issued by the authorization server. * `"issuedTokenType"`: [string](preface.html#definition-string) The token type URN. * `"scopes"`: set of [strings](preface.html#definition-string) One or more scopes associated with the issued token, for example, `"scope1", "scope2", "scope3"`. * `"rawInfo"`: raw JSON as a JsonValue The raw token info as issued by the authorization server. ### More information [OAuth2FailureContext](#OAuth2FailureContext) [OAuth2TokenExchangeFilter](Filters.html#OAuth2TokenExchangeFilter) [RFC 6749: Error Response](https://www.rfc-editor.org/rfc/rfc6749#section-5.2) ## OAuth2FailureContext When an OAuth 2.0 authorization operation fails, the error and error description provided by the authorization service are injected into this context for use downstream. For example, when the [OAuth2TokenExchangeFilter](Filters.html#OAuth2TokenExchangeFilter) fails to exchange a token, it injects the error and description into this context. The context is passed into calls to the `failureHandler` in the OAuth2TokenExchangeFilter. This context supports OAuth 2.0 error messages in the format given by [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2). ### Properties The context is named `OAuth2Failure`, and is accessible at `${contexts.oauth2failure}`. The context has the following properties: * `"error"`: *[string](preface.html#definition-string)* The error field name. * `"description"`: *[string](preface.html#definition-string)* Error description field name. * `"exception"`: *Exception* The OAuth 2.0 exception associated with the token exchange error. ### More information [OAuth2TokenExchangeContext](#OAuth2TokenExchangeContext) [OAuth2TokenExchangeFilter](Filters.html#OAuth2TokenExchangeFilter) [RFC 6749: Error Response](https://www.rfc-editor.org/rfc/rfc6749#section-5.2) ## PolicyDecisionContext Provides attributes and advices returned by AM policy decisions. When the [PolicyEnforcementFilter](Filters.html#PolicyEnforcementFilter) processes a request, it injects the attributes and advices into this context. ### Properties The context is named `policyDecision`, and is accessible at `${contexts.policyDecision}`. The context has the following properties: * `"attributes"`: unmodifiable map A map of attribute names to their values, provided in the policy decision. Can be empty, but not null. * `"jsonAttributes"`: JsonValue A map of attribute names to their values, provided in the policy decision. Cannot be null. * `"advices"`: [map](preface.html#definition-map) A map of advice names to their values, provided in the policy decision. Can be empty, but not null. * `"jsonAdvices"`: JsonValue A map of advice names to their values, provided in the policy decision. Cannot be null. * `"actions"`: [map](preface.html#definition-map) A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource. Can be empty, but not null. * `"jsonActions"`: JsonValue A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource. Cannot be null. * `"resource"`: [string](preface.html#definition-string) The resource value that was used when making the policy request. Can be empty, but not null. ### More information [org.forgerock.openig.openam.PolicyDecisionContext.html](../_attachments/apidocs/org/forgerock/openig/openam/PolicyDecisionContext.html) ## Request An HTTP request message. Access the content of the request by using [expressions](Expressions.html#expressions-syntax). ### Properties * `"method"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* The HTTP method; for example, `GET`. * `"uri"`: *[java.net.URI](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/URI.html)* The fully-qualified URI of the resource being accessed; for example, `http://www.example.com/resource.txt`. * `"version"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* The protocol version used for the request; for example, `HTTP/2`. * `"headers"`: *[org.forgerock.http.protocol.Headers](../_attachments/apidocs/org/forgerock/http/protocol/Headers.html)* One or more headers in the request, with the format `header_name: [ header_value, …​ ]`. The following example accesses the first value of the request header `UserId`: ```none pass:[${request.headers['UserId'][0]} ``` * `"cookies"`: *[org.forgerock.http.protocol.RequestCookies](../_attachments/apidocs/org/forgerock/http/protocol/RequestCookies.html)* Incoming request cookies, with the format `cookie_name: [ cookie_value, …​ ]`. The following example accesses the first value of the request cookie `my-jwt`: ```none pass:[${request.cookies['my-jwt'][0].value} ``` * `"entity"`: *[Entity](../_attachments/apidocs/org/forgerock/http/protocol/Entity.html)* The message body. The following example accesses the subject token from the request entity: ```none pass:[#{request.entity.form['subject_token'][0]}] ``` * `"queryParams"`: *[Form](../_attachments/apidocs/org/forgerock/http/protocol/Form.html)* Returns a copy of the query parameters decoded as a form. Modifications to the returned form are not reflected in the request. ### More information [org.forgerock.http.protocol.Request](../_attachments/apidocs/org/forgerock/http/protocol/Request.html) ## Response An HTTP response message. Access the content of the response by using [expressions](Expressions.html#expressions-syntax). ### Properties * `"cause"`: *[java.lang.Exception](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/Exception.html)* The cause of an error if the status code is in the range 4xx-5xx. Possibly null. * `"status"`: *[Status](../_attachments/apidocs/org/forgerock/http/protocol/Status.html)* The response status. * `"version"`: *[java.lang.String](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/String.html)* The protocol version used the response; for example, `HTTP/2`. * `"headers"`: *[org.forgerock.http.protocol.Headers](../_attachments/apidocs/org/forgerock/http/protocol/Headers.html)* One or more headers in the response. The following example accesses the first value of the response header `Content-Type`: ```none pass:[${response.headers['Content-Type'][0]}] ``` * `"trailers"`: *[org.forgerock.http.protocol.Headers](../_attachments/apidocs/org/forgerock/http/protocol/Headers.html)* One or more trailers in the response. The following example accesses the first value of the response trailer `Content-Length`: ```none pass:[${response.trailers['Content-Length'][0]}] ``` * `"entity"`: *[Entity](../_attachments/apidocs/org/forgerock/http/protocol/Entity.html)* The message entity body. The following example accesses the user ID from the response: ```none pass:[#{toString(response.entity.json['userId'])}] ``` ### More information [org.forgerock.http.protocol.Response](../_attachments/apidocs/org/forgerock/http/protocol/Response.html) ## SessionContext Provides access to information about stateful and stateless sessions. To process a single request, consider using [AttributesContext](#Attributes) to transfer transient state between components and prevent IG from creating additional sessions. IG automatically provides access to the `session` field through the `session` bindings in expressions. For example, to access a username with an expression, use `${session.username}` instead of `${contexts.session.session.username}` ### Properties The context is named `session`, and is accessible at `${contexts.session}`. The context has the following properties: * `"session"`: [map](preface.html#definition-map) A map of attributes that are name-value pairs of the format `Map`. Any object type can be stored in the session. ### More information [org.forgerock.http.session.SessionContext](../_attachments/apidocs/org/forgerock/http/session/SessionContext.html) ## SessionInfoContext Provides AM session information and properties. When the [SessionInfoFilter](Filters.html#SessionInfoFilter) processes a request, it injects info and properties from the AM session into this context. ### Properties The context is named `amSession`, and is accessible at `${contexts.amSession}`. The context has the following properties: * `"asJsonValue()"`: JsonValue Raw JSON. * `"latestAccessTime"`: [instant](preface.html#definition-instant) The timestamp of when the session was last used. Can be null if the DN is not resident on the SSO token, or if the time cannot be obtained from the session. * `"maxIdleExpirationTime"`: [instant](preface.html#definition-instant) The timestamp of when the session would time out for inactivity. Can be null if the DN is not resident on the SSO token, or if the time cannot be obtained from the session. * `"maxSessionExpirationTime"`: [instant](preface.html#definition-instant) The timestamp of when the session would time out regardless of activity. Can be null if the DN is not resident on the SSO token, or if the time cannot be obtained from the session. * `"properties"`: [map](preface.html#definition-map) The read-only map of properties bound to the session. Can be empty, but not null. The following properties are retrieved: * When `sessionProperties` in AmService is configured, listed session properties with a value. * When `sessionProperties` in AmService is not configured, all session properties with a value. * Properties with a value that are required by IG but not specified by `sessionProperties` in AmService. For example, when the session cache is enabled, session properties related to the cache are automatically retrieved. Properties with a value are returned, properties with a null value are not returned * `"realm"`: [string](preface.html#definition-string) The realm as specified by AM, in a user-friendly slash (/) separated format. Can be null if the DN is not resident on the SSO token. * `"sessionHandle"`: [string](preface.html#definition-string) The handle to use for logging out of the session. Can be null if the handle is not available for the session. * `"universalId"`: [string](preface.html#definition-string) The DN that AM uses to uniquely identify the user. Can be null if it cannot be obtained from the SSO token. * `"username"`: [string](preface.html#definition-string) A user-friendly version of the username. Can be null if the DN is not resident on the SSO token, or empty if it cannot be obtained from the DN. ### More information [org.forgerock.openig.openam.SessionInfoContext](../_attachments/apidocs/org/forgerock/openig/openam/SessionInfoContext.html) ## SsoTokenContext Provides SSO tokens and their validation information. When the [SingleSignOnFilter](Filters.html#SingleSignOnFilter) or [CrossDomainSingleSignOnFilter](Filters.html#CrossDomainSingleSignOnFilter) processes a request, it injects the value of the SSO token and additional information in this context. ### Properties The context is named `ssoToken`, and is accessible at `${contexts.ssoToken}`. The context has the following properties: * `"info"`: [map](preface.html#definition-map) Information associated with the SSO token, such as `realm` or `uid`. Cannot be null. * `"loginEndpoint"`: url URL for the login endpoint, evaluated from the configuration of SingleSignOnFilter. * `"value"`: string The value of the SSO token. Cannot be null. ### More information [org.forgerock.openig.openam.SsoTokenContext](../_attachments/apidocs/org/forgerock/openig/openam/SsoTokenContext.html) ## Status An HTTP response status. ### Properties * `"code"`: *integer* Three-digit integer reflecting the HTTP status code. * `"family"`: *[enumeration](preface.html#definition-enumeration)* Family Enum value representing the class of response that corresponds to the code: * `Family.INFORMATIONAL` Status code reflects a provisional, informational response: 1xx. * `Family.SUCCESSFUL` The server received, understood, accepted and processed the request successfully. Status code: 2xx. * `Family.REDIRECTION` Status code indicates that the client must take additional action to complete the request: 3xx. * `Family.CLIENT_ERROR` Status code reflects a client error: 4xx. * `Family.SERVER_ERROR` Status code indicates a server-side error: 5xx. * `Family.UNKNOWN` Status code does not belong to one of the known families: 600+. * `"reasonPhrase"`: *[string](preface.html#definition-string)* The human-readable reason-phrase corresponding to the status code. * `"isClientError"`: *[boolean](preface.html#definition-boolean)* True if Family.CLIENT\_ERROR. * `"isInformational"`: *[boolean](preface.html#definition-boolean)* True if Family.INFORMATIONAL. * `"isRedirection"`: *[boolean](preface.html#definition-boolean)* True if Family.REDIRECTION. * `"isServerError"`: *[boolean](preface.html#definition-boolean)* True if Family.SERVER\_ERROR. * `"isSuccessful"`: *[boolean](preface.html#definition-boolean)* True if Family.SUCCESSFUL. ### More information [Response Status Codes](https://datatracker.ietf.org/doc/html/rfc7231#section-6). [org.forgerock.http.protocol.Status](../_attachments/apidocs/org/forgerock/http/protocol/Status.html) ## StsContext Provides the result of a token transformation. When the [TokenTransformationFilter](Filters.html#TokenTransformationFilter) processes a request, it injects the result into this context. ### Properties The context is named `sts`, and is accessible at `${contexts.sts}`. The context has the following properties: * `"issuedToken"`: [string](preface.html#definition-string) The result of the token transformation. ### More information [org.forgerock.openig.openam.StsContext](../_attachments/apidocs/org/forgerock/openig/openam/StsContext.html) ## TransactionIdContext The transaction ID of a request. When IG receives a request, it injects the transaction ID into this context. ### Properties The context is named `transactionId`, and is accessible at `${contexts.transactionId}`. The context has the following properties: * `"transactionId"`: TransactionId The ID of the transaction. ### More information [org.forgerock.services.TransactionIdContext](../_attachments/apidocs/org/forgerock/services/TransactionId.html) [org.forgerock.services.context.TransactionIdContext](../_attachments/apidocs/org/forgerock/services/context/TransactionIdContext.html) ## URI Represents a Uniform Resource Identifier (URI) reference. ### Properties * `"scheme"`: *[string](preface.html#definition-string)* The scheme component of the URI, or `null` if the scheme is undefined. * `"authority"`: *[string](preface.html#definition-string)* The decoded authority component of the URI, or `null` if the authority is undefined. Use "rawAuthority" to access the raw (encoded) component. * `"userInfo"`: *[string](preface.html#definition-string)* The decoded user-information component of the URI, or `null` if the user information is undefined. Use "rawUserInfo" to access the raw (encoded) component. * `"host"`: *[string](preface.html#definition-string)* The host component of the URI, or `null` if the host is undefined. * `"port"`: *[number](preface.html#definition-number)* The port component of the URI, or `null` if the port is undefined. * `"path"`: *[string](preface.html#definition-string)* The decoded path component of the URI, or `null` if the path is undefined. Use "rawPath" to access the raw (encoded) component. * `"query"`: *[string](preface.html#definition-string)* The decoded query component of the URI, or `null` if the query is undefined. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The query key and value is decoded. However, because a query value can be encoded more than once in a redirect chain, even though it is decoded it can contain unsafe ASCII characters. | Use "rawQuery" to access the raw (encoded) component. * `"fragment"`: *[string](preface.html#definition-string)* The decoded fragment component of the URI, or `null` if the fragment is undefined. Use "rawFragment" to access the raw (encoded) component. ### More information [org.forgerock.http.MutableUri](../_attachments/apidocs/org/forgerock/http/MutableUri.html) ## UriRouterContext Provides routing information associated with a request. When IG routes a request, it injects information about the routing into this context. ### Properties The context is named `router`, and is accessible at `${contexts.router}`. The context has the following properties: * `"baseUri"`: [string](preface.html#definition-string) The portion of the request URI which has been routed so far. * `"matchedUri"`: [string](preface.html#definition-string) The portion of the request URI that matched the URI template. * `"originalUri"`: [url](preface.html#definition-url) The original target [URI](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/URI.html) for the request, as received by the web container. The value of this field is read-only. * `"remainingUri"`: [string](preface.html#definition-string) The portion of the request URI that is remaining to be matched. * `"uriTemplateVariables"`: [map](preface.html#definition-map) An unmodifiable map, where the keys and values are strings. The map contains the parsed URI template variables keyed on the URI template variable name. ### More information [org.forgerock.http.routing.UriRouterContext](../_attachments/apidocs/org/forgerock/http/routing/UriRouterContext.html) ## UserProfileContext When the [UserProfileFilter](Filters.html#UserProfileFilter) processes a request, it injects the user profile information into this context. This context provides raw JSON representation, and convenience accessors that map commonly used LDAP field names to a context names. ### Properties The context is named `userProfile`, and is accessible at `${contexts.userProfile}`. The context has the following properties: * `"username"`: [string](preface.html#definition-string) User-friendly version of the username. This field is always fetched. If the underlying data store doesn't include `username`, this field is null. Example of use: `${contexts.userProfile.username}` * `"realm"`: [string](preface.html#definition-string) Realm as specified by AM, in a user-friendly slash (/) separated format. Can be null. Example of use: `${contexts.userProfile.realm}` * `"distinguishedName"`: [string](preface.html#definition-string) Distinguished name of the user. Can be null. Example of use: `${contexts.userProfile.distinguishedName}` * `"commonName"`: [string](preface.html#definition-string) Common name of the user. Can be null. Example of use: `${contexts.userProfile.commonName}` * `"rawInfo"`: (map\, object) Unmodifiable map of the user profile information. This context contains the object structure of the AM user profile. Any individual field can be retrieved from the map. Depending on the requested fields, the context can be empty or values can be null. Examples of use: `${contexts.userProfile.rawInfo}`, `${contexts.userProfile.rawInfo.username}`, `${contexts.userProfile.rawInfo.employeeNumber[0]}`. * `"asJsonValue()"`: JsonValue Raw JSON of the user profile information. Example of use: `${contexts.userProfile.asJsonValue()}` ### More information [org.forgerock.openig.openam.UserProfileContext](../_attachments/apidocs/org/forgerock/openig/openam/UserProfileContext.html) [UserProfileFilter](Filters.html#UserProfileFilter)