Skip navigation links

oracle.security.jps.runtime
Class AppSecurityContext

java.lang.Object
oracle.security.jps.runtime.AppSecurityContext

public abstract class AppSecurityContext

extends java.lang.Object

This class defines application security context with application security attributes for OPSS policy providers and other security services. Examples of security attributes include application ID and identity context. Policy providers use application ID in application security context to make authorization decisions and perform application policy provisioning tasks. Applications and components can retrieve identity context from application security context to access identity claims.

This class provides a thread-scoped API for accessing application security attributes. The thread scoped API uses a threadlocal variable of an AppSecurityContext instance to encapsulate the application security attributes, e.g. application ID and identity context ID.

AppSecurityContext supports two modes in setting and getting application ID, the new "AppSecurityContext" mode and "PolicyContext" mode. The "PolicyContext" mode provides backward-compatibility in setting and getting context ID with JACC PolicyContext, the "AppSecurityContext" mode creates a new thread-scoped variable to store application ID. This class checks system property "oracle.security.jps.appsecuritycontext.appsecuritycontextmode" to decide which mode to use for setting and getting application ID. If this system property is not set or set to false, "PolicyContext" mode is enabled. Otherwise, "AppSecurityContext" mode is enabled.

When calling AppSecurityContext.setApplicationID method, it requires callers to have codebase permission grant of JpsPermission("AppSecurityContext.setApplicationID.<app ID>").

It is recommended practice to always immediately reset the policy context once it is not required. Follow a call to setApplicationID with a try block, most typically in a before/after construction such as:

 class X {

    // typically invoke this in an AccessController do privileged block.
    // calling code must be granted appropriate permission.
    private static void setApplicationID(final String applicationID) {
       AccessController.doPrivileged(new PrivilegedAction() {
         public Object run() {
           AppSecurityContext.setApplicationID(applicationID);
           return null;
          }
      });
    }

   public void m() { 
     String newCtx ; // new context to set
     String oldCtx = AppSecurityContext.getApplicationID(); // remember old context
     boolean resetCtx= false;
     // optimize - if new context is the same as the current, no need to set it.
     if (oldCtx != null &amp&amp !oldCtx.equalsIgnoreCase(newCtx)) {
          setApplicationID(newCtx);
          resetCtx = true;
     } else if (oldCtx == null &amp&amp newCtx != null) {
        AppSecurityContext.setApplicationID(newCtx);
        resetCtx = true;
     }
     try {
       // ... method body
     } finally {
         // restore the context
        if (resetCtx) setApplicationID(oldCtx);
     }
   }
 }
 

Method Summary

static java.lang.String	getApplicationID() Gets application ID from thread-scoped variables.
abstract java.lang.Object	getAttribute(java.lang.String attributeName) Gets the security attribute object given its name.
static AppSecurityContext	getSecurityContext() Gets the instance of AppSecurityContext.
static ServiceContext	getTenantContext() Gets the current tenant context.
static UserSecurityContext	getUserSecurityContext() Gets the current user security context.
static void	setApplicationID(java.lang.String applicationID) Sets application ID in thread-scoped variables.
static void	setAppSecCtxtMode(boolean appSecCtxtMode) Sets the application security context mode to enable or disable "AppSecurityContext" mode.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

setAppSecCtxtMode

public static void setAppSecCtxtMode(boolean appSecCtxtMode)

Sets the application security context mode to enable or disable "AppSecurityContext" mode.

Parameters:

appSecCtxtMode - set to true to enable "AppSecurityContext" mode, false to disable this mode

setApplicationID

public static void setApplicationID(java.lang.String applicationID)

Sets application ID in thread-scoped variables.

It requires callers to have codebase permission grant of JpsPermission("AppSecurityContext.setApplicationID.<app ID>") to invoke this method.

When PolicyContext mode is true and security manager is turned on, PolicyContext requires callers to have permission grant of SecurityPermission("setPolicy").

Parameters:

applicationID -

getApplicationID

public static java.lang.String getApplicationID()

Gets application ID from thread-scoped variables.

When PolicyContext mode is true and security manager is set, PolicyContext requires callers to have permission grant of SecurityPermission("getPolicy").

Returns:

the application ID.

getSecurityContext

public static AppSecurityContext getSecurityContext()

Gets the instance of AppSecurityContext.

Returns:

the instance of AppSecurityContext

getTenantContext

public static ServiceContext getTenantContext()
                                       throws JpsException

Gets the current tenant context.

Returns:

the tenant context.

Throws:

JpsException - when fail to create tenant context.

getUserSecurityContext

public static UserSecurityContext getUserSecurityContext()

Gets the current user security context.

Returns:

the current UserSecurityContext.

getAttribute

public abstract java.lang.Object getAttribute(java.lang.String attributeName)

Gets the security attribute object given its name.

Parameters:

attributeName - the security attribute name

Returns:

the specified attribute object

Skip navigation links