As we mentioned earlier, the SecurityContext API provides programmatic security. The IdentityStore and authentication mechanisms are like declarative modes for handling security, whereas the SecurityContext API is geared toward more programmatic control for the authentication and authorization mechanisms in the application. This new SecurityContext interface unifies many different security APIs that were scattered across individual Java EE technology specifications.
The SecurityContext object represents all security information that has been gathered on the user who made the current request. An implementation of the SecurityContext API should be provided at runtime as a CDI-managed bean. We can inject SecurityContext to our application code via CDI as follows:
@Inject
lateinit var securityContext:SecurityContext
At this point, we can authenticate the user, check the user's role/group membership, and grant or deny access to the resource. We can then use this context object in our code to make security decisions. The SecurityContext interface declares five methods:
public interface SecurityContext {
Principal getCallerPrincipal ();
<T extends Principal> Set<T> getPrincipalsByType (Class<T> type);
boolean isCallerInRole (String role);
boolean hasAccessToWebResource (String resource, String... methods);
AuthenticationStatus authenticate (
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
AuthenticationParameters authParameteres);
}
Let's understand what these methods are:
- The first method is the getCallerPrincipal(). When invoked, this method returns the Principal type object that represents the current user who issued the request.
- Implementations of the security API can also provide their specialized Principal types. We should use getPrincipalsByType() by passing the desired type to get the principal object of that type.
- The isCallerInRole() method can be used to find out the roles of the users in the current request.
- There is also the hasAccessToWebResource() method, which is used to check the permission of the user as regards access to the resource residing on the server side. The authenticate method then triggers re-authentication for the user in the current request scope.
We can also use the SecurityContext and getCallerPrincipal() methods in place of the old HttpServletRequest.getUserPrincipal() and EJBContext.getCallerPrincipal() method implementations.
This is an overview of the Security 1.0 API. The very first version of the specification has standardized the security model in Java EE and is packed with the powerful features required for a modern enterprise applications. Next, we will demonstrate securing the resources using IdentityStore and AuthenticationMechanism.