The system passes around user identity information in a user object. This object is similar to a wallet and can contain more than one identity, just as a wallet can contain a driver’s license, credit card, and ATM card. Identities are accumulated over the course of a session as a user becomes identified with various security systems.

A management interface, atg.security.ThreadSecurityManager, ties a user object to a particular thread and temporarily assigns user objects to a thread. In this way, identity is associated with an execution context. The Oracle Commerce Platform’s request handling pipeline automatically associates the session’s User object with the request thread, so calling the ThreadSecurityManager.currentUser() returns the user for the current session.