Chapter 1. Security Context
The Security Context combines the Authentication, Authorization, Mapping and Auditing aspects of a security-conscious system. The following code is an example interface for the Security Context (
SecurityContext
):
package org.jboss.security;
* Encapsulation of Authentication, Authorization, Mapping and other
* security aspects at the level of a security domain
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
public interface SecurityContext extends Serializable,Cloneable
* Authentication Manager for the security domain
public AuthenticationManager getAuthenticationManager();
* Authorization Manager for the security domain
public AuthorizationManager getAuthorizationManager();
* Mapping manager configured with providers
public MappingManager getMappingManager();
* AuditManager configured for the security domain
public AuditManager getAuditManager();
* Context Map
public Map<String,Object> getData();
* Return the Security Domain
public String getSecurityDomain();
* Subject Info
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
SubjectInfo getSubjectInfo();
* Subject Info
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
void setSubjectInfo(SubjectInfo si);
* RunAs Representation
* @see #setRunAs(RunAs)
public RunAs getRunAs();
* Set the current RunAs for the security context that will be
* propagated out to other security context.
* RunAs coming into this security context needs to be done
* from SecurityContextUtil.getCallerRunAs/setCallerRunAs
* @see SecurityContextUtil#getCallerRunAs()
* @see SecurityContextUtil#setCallerRunAs(RunAs)
* @param runAs
public void setRunAs(RunAs runAs);
* Return a utility that is a facade to the internal
* storage mechanism of the Security Context
* This utility can be used to store information like
* roles etc in an implementation specific way
* @return
public SecurityContextUtil getUtil();
The SecurityUtil is associated with the SecurityContext. It provides some utility methods to shield the details of any vendor implementation of the SecurityContext from the implementation. The following code is an example of the SecurityUtil abstract class:
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
* General Utility methods for dealing with the SecurityContext
public abstract class SecurityContextUtil
protected SecurityContext securityContext = null;
public void setSecurityContext(SecurityContext sc)
this.securityContext = sc;
* Get the username from the security context
* @return username
public abstract String getUserName();
* Get the user principal the security context
* @return user principal
public abstract Principal getUserPrincipal();
* Get the credential
* @return
public abstract Object getCredential();
* Get the subject the security context
* @return
public abstract Subject getSubject();
* Get the RunAs that was passed into the current security context
* The security context RunAs is the RunAs that will be propagated out of it
* @return
public abstract RunAs getCallerRunAs();
* Set the Caller RunAs in the security context
* Security Context implementations are free to store
* the caller runas in any manner
* @param runAs
public abstract void setCallerRunAs(RunAs runAs);
* Get a holder of subject, runAs and caller RunAs
* @return
public abstract SecurityIdentity getSecurityIdentity();
* Inject subject, runAs and callerRunAs into the security context
* Mainly used by integration code base to cache the security identity
* and put back to the security context
* @param si The SecurityIdentity Object
public abstract void setSecurityIdentity(SecurityIdentity si);
* Get the Roles associated with the user for the
* current security context
* @param <T>
* @return
public abstract <T> T getRoles();
* Set the roles for the user for the current security context
* @param <T>
* @param roles
public abstract <T> void setRoles(T roles);
* Create SubjectInfo and set it in the current security context
* @param principal
* @param credential
* @param subject
public void createSubjectInfo(Principal principal, Object credential,Subject subject)
SubjectInfo si = new SubjectInfo(principal, credential, subject);
this.securityContext.setSubjectInfo(si);
* Set an object on the Security Context
* The context implementation may place the object in its internal
* data structures (like the Data Map)
* @param <T> Generic Type
* @param sc Security Context Object
* @param key Key representing the object being set
* @param obj
public abstract <T> void set(String key, T obj);
* Return an object from the Security Context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return
public abstract <T> T get(String key);
* Remove an object represented by the key from the security context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return the removed object
public abstract <T> T remove(String key);
The SecurityContextUtil provides methods that retrieve the user principal and credential, handle the RunAs operation and allow you to use the SecurityContext to store objects by using key pairs.
The SecurityContextUtil also uses a SecurityIdentity component, which represents the identity of the agent that is interfacing with the security system. It contains the subject and several run-as options, such as RunAs and CallerRunAs:
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
//$Id$
* Represents an Identity of an agent interacting with the
* security service. It can be an user or a process. It
* consists of a subject and various run-as
public class SecurityIdentity
SubjectInfo theSubject = null;
RunAs runAs = null;
RunAs callerRunAs = null;
public SecurityIdentity(SubjectInfo subject, RunAs runAs, RunAs callerRunAs)
this.theSubject = subject;
this.runAs = runAs;
this.callerRunAs = callerRunAs;
public Principal getPrincipal()
return theSubject != null ? theSubject.getAuthenticationPrincipal() : null;
public Object getCredential()
return theSubject != null ? theSubject.getAuthenticationCredential(): null;
public Subject getSubject()
return theSubject != null ? theSubject.getAuthenticatedSubject() : null;
public RunAs getRunAs()
return runAs;
public RunAs getCallerRunAs()
return callerRunAs;
RunAs differs from CallerRunAs in that it represents the run-as that is leaving the current context. The CallerRunAs represents the run-as method that is entering the security context. The folllowing is a RunAs interface: