org.forgerock.services.context

Class SecurityContext

java.lang.Object

org.forgerock.services.context.AbstractContext

org.forgerock.services.context.SecurityContext

All Implemented Interfaces:

Context

public final class SecurityContext
extends AbstractContext

A Context containing information about the client performing the request which may be used when performing authorization decisions. A security context will typically be created for each REST request and comprises of two fields:

• an authentication ID which is the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used when performing authorization decisions.
• an authorization ID which is a map containing additional principals associated with the client and which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN).

The following code illustrates how an application may obtain the realm associated with a user:

 Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
 

 {
   "id"     : "56f0fb7e-3837-464d-b9ec-9d3b6af665c3",
   "class"  : "org.forgerock.services.context.SecurityContext",
   "parent" : {
       ...
   },
   "authenticationId" : "bjensen@example.com",
   "authorization" : {
       "id"        : "1230fb7e-f83b-464d-19ef-789b6af66456",
       "component" : "users",
       "roles"     : [
           "administrators"
       ],
       "dn"        : "cn=bjensen,ou=people,dc=example,dc=com"
   }
 }
 

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHZID_COMPONENT The authorization ID name reserved for the name of the component in which a user's resource is located, e.g.
static String	AUTHZID_DN The authorization ID name reserved for the user's LDAP distinguished name.
static String	AUTHZID_ID The authorization ID principal name reserved for a user's unique identifier.
static String	AUTHZID_REALM The authorization ID name reserved for a user's realm.
static String	AUTHZID_ROLES The authorization ID name reserved for the array of roles associated with the user.

Fields inherited from class org.forgerock.services.context.AbstractContext

data

Constructor Summary

Constructors

Constructor and Description
SecurityContext(Context parent, String authenticationId, Map<String,Object> authorization) Creates a new security context having the provided parent and an ID automatically generated using UUID.randomUUID().
SecurityContext(JsonValue savedContext, ClassLoader classLoader) Restore from JSON representation.
SecurityContext(String id, Context parent, String authenticationId, Map<String,Object> authorization) Creates a new security context having the provided ID, and parent.

Method Summary

Modifier and Type	Method and Description
String	getAuthenticationId() Returns the principal that the client used during authentication.
Map<String,Object>	getAuthorization() Returns an unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions.

Methods inherited from class org.forgerock.services.context.AbstractContext

asContext, containsContext, containsContext, getContext, getContextName, getId, getParent, getRootId, isRootContext, toJsonValue, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

AUTHZID_COMPONENT

public static final String AUTHZID_COMPONENT

The authorization ID name reserved for the name of the component in which a user's resource is located, e.g. "users".

See Also:

Constant Field Values

AUTHZID_DN

public static final String AUTHZID_DN

The authorization ID name reserved for the user's LDAP distinguished name.

See Also:

Constant Field Values

AUTHZID_ID

public static final String AUTHZID_ID

The authorization ID principal name reserved for a user's unique identifier.

See Also:

Constant Field Values

AUTHZID_REALM

public static final String AUTHZID_REALM

The authorization ID name reserved for a user's realm.

See Also:

Constant Field Values

AUTHZID_ROLES

public static final String AUTHZID_ROLES

The authorization ID name reserved for the array of roles associated with the user.

See Also:

Constant Field Values

Constructor Detail

SecurityContext

public SecurityContext(Context parent,
                       String authenticationId,
                       Map<String,Object> authorization)

Creates a new security context having the provided parent and an ID automatically generated using UUID.randomUUID().

Parameters:

parent - The parent context.

authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.

authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

SecurityContext

public SecurityContext(String id,
                       Context parent,
                       String authenticationId,
                       Map<String,Object> authorization)

Creates a new security context having the provided ID, and parent.

Parameters:

id - The context ID.

parent - The parent context.

authenticationId - The authentication ID that the user provided during authentication, which may be null or empty indicating that the client is unauthenticated.

authorization - The authorization information which should be used for authorizing requests may by the user, which may be null or empty indicating that the client is is to be treated as an anonymous user when performing authorization decisions. The provided map will be copied defensively and must only contain values which can be serialized as JSON values.

SecurityContext

public SecurityContext(JsonValue savedContext,
                       ClassLoader classLoader)

Restore from JSON representation.

Parameters:

savedContext - The JSON representation from which this context's attributes should be parsed.

classLoader - The ClassLoader which can properly resolve the persisted class-name.

Method Detail

getAuthenticationId

public String getAuthenticationId()

Returns the principal that the client used during authentication. This might be a user name, an email address, etc. The authentication ID may be used for logging or auditing but SHOULD NOT be used for authorization decisions.

Returns:

The principal that the client used during authentication, which may be empty (but never null) indicating that the client is unauthenticated.

getAuthorization

public Map<String,Object> getAuthorization()

Returns an unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. Examples of principals include a unique identifier for the user, roles, or an LDAP distinguished name (DN). The following code illustrates how an application may obtain the realm associated with a user:

 Context context = ...;
 String realm = (String) context.asContext(SecurityContext.class).getAuthorization(AUTHZID_REALM);
 

Returns:

An unmodifiable map containing additional principals associated with the client which MAY be used when performing authorization decisions. The returned map may be empty (but never null) indicating that the client is is to be treated as an anonymous user.