Package javax.security.jacc

Class PolicyContext

  • public final class PolicyContext
extends java.lang.Object

    This utility class is used by containers to communicate policy context identifiers and other policy relevant context to Policy providers. Policy providers use the policy context identifier to select the subset of policy to apply in access decisions.

    The value of a policy context identifier is a String and each thread has an independently established policy context identifier. A container will establish the thread-scoped value of a policy context identifier by calling the static setContextID method. The value of a thread-scoped policy context identifier is available (to Policy) by calling the static getContextID method.

    This class is also used by Policy providers to request additional thread-scoped policy relevant context objects from the calling container. Containers register container-specific PolicyContext handlers using the static registerHandler method. Handler registration is scoped to the class, such that the same handler registrations are active in all thread contexts. Containers may use the static method setHandlerData to establish a thread-scoped parameter that will be passed to handlers when they are activated by Policy providers. The static getContext method is used to activate a handler and obtain the corresponding context object.

    The static accessor functions provided by this class allow per-thread policy context values to be established and communicated independent of a common reference to a particular PolicyContext instance.

    The PolicyContext class may encapsulate static ThreadLocal instance variables to represent the policy context identifier and handler data values.

    The Application server must bundle or install the PolicyContext class, and the containers of the application server must prevent the methods of the PolicyContext class from being called from calling contexts that are not authorized to call these methods. With the exception of the getContextID and getHandlerKeys methods, containers must restrict and afford access to the methods of the PolicyContext class to calling contexts trusted by the container to perform container access decisions. The PolicyContext class may satisfy this requirement (on behalf of its container) by rejecting calls made from an AccessControlContext that has not been granted the "setPolicy" SecurityPermission, and by ensuring that Policy providers used to perform container access decisions are granted the "setPolicy" permission.

    See Also:
    PolicyContextHandler

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private static java.lang.ThreadLocal<java.lang.String> contextIDLocal  
      private static java.security.SecurityPermission getPolicy  
      private static java.lang.ThreadLocal<java.lang.Object> handlerDataLocal  
      private static java.util.Map<java.lang.String,​PolicyContextHandler> handlerMap  
      private static java.security.SecurityPermission setPolicy  

    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private PolicyContext()
      Private constructor.

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.lang.Object getContext​(java.lang.String key)
      This method may be used by a Policy provider to activate the PolicyContextHandler registered to the context object key and cause it to return the corresponding policy context object from the container.
      static java.lang.String getContextID()
      This static method returns the value of the policy context identifier associated with the thread on which the accessor is called.
      static java.util.Set getHandlerKeys()
      This method may be used to obtain the keys that identify the container specific context handlers registered by the container.
      static void registerHandler​(java.lang.String key, PolicyContextHandler handler, boolean replace)
      Authorization protected method used to register a container specific PolicyContext handler.
      static void setContextID​(java.lang.String contextID)
      Authorization protected method used to modify the value of the policy context identifier associated with the thread on which this method is called.
      static void setHandlerData​(java.lang.Object data)
      Authorization protected method that may be used to associate a thread-scoped handler data object with the PolicyContext.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • setPolicy

        private static java.security.SecurityPermission setPolicy

      • getPolicy

        private static java.security.SecurityPermission getPolicy

      • handlerDataLocal

        private static java.lang.ThreadLocal<java.lang.Object> handlerDataLocal

      • contextIDLocal

        private static java.lang.ThreadLocal<java.lang.String> contextIDLocal

    • Constructor Detail

      • PolicyContext

        private PolicyContext()

        Private constructor.

    • Method Detail

      • getContext

        public static java.lang.Object getContext​(java.lang.String key)
                                   throws PolicyContextException

        This method may be used by a Policy provider to activate the PolicyContextHandler registered to the context object key and cause it to return the corresponding policy context object from the container. When this method activates a handler, it passes to the handler the context object key and the handler data associated with the calling thread.

        Parameters:
        key - - a String that identifies the PolicyContextHandler to activate and the context object to be acquired from the handler. The value of this parameter must not be null.
        Returns:
        the container and handler specific object containing the desired context. A null value is returned if the corresponding handler has been registered, and the value of the corresponding context is null.
        Throws:
        java.lang.IllegalArgumentException - - if a PolicyContextHandler has not been registered for the key or the registered handler no longer supports the key.
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method.
        PolicyContextException - - if an operation by this method on the identified PolicyContextHandler causes it to throw a checked exception that is not accounted for in the signature of this method.

      • getContextID

        public static java.lang.String getContextID()

        This static method returns the value of the policy context identifier associated with the thread on which the accessor is called.

        Returns:
        The String (or null) policy context identifier established for the thread. This method must return the default policy context identifier, null, if the policy context identifier of the thread has not been set via setContext to another value.
        Throws:
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method. Containers may choose to authorize calls to this method by any AccessControlContext.

      • getHandlerKeys

        public static java.util.Set getHandlerKeys()

        This method may be used to obtain the keys that identify the container specific context handlers registered by the container.

        Returns:
        A Set, the elements of which, are the String key values that identify the handlers that have been registered and therefore may be activated on the PolicyContext.
        Throws:
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method. Containers may choose to authorize calls to this methods by any AccessControlContext.

      • registerHandler

        public static void registerHandler​(java.lang.String key,
                                   PolicyContextHandler handler,
                                   boolean replace)
                            throws PolicyContextException

        Authorization protected method used to register a container specific PolicyContext handler. A handler may be registered to handle multiple keys, but at any time, at most one handler may be registered for a key.

        Parameters:
        key - - a (case-sensitive) String that identifies the context object handled by the handler. The value of this parameter must not be null.
        handler - - an object that implements the PolicyContextHandler interface. The value of this parameter must not be null.
        replace - - this boolean value defines the behavior of this method if, when it is called, a PolicyContextHandler has already been registered to handle the same key. In that case, and if the value of this argument is true, the existing handler is replaced with the argument handler. If the value of this parameter is false the existing registration is preserved and an exception is thrown.
        Throws:
        java.lang.IllegalArgumentException - - if the value of either of the handler or key arguments is null, or the value of the replace argument is false and a handler with the same key as the argument handler is already registered.
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method.
        PolicyContextException - - if an operation by this method on the argument PolicyContextHandler causes it to throw a checked exception that is not accounted for in the signature of this method.

      • setContextID

        public static void setContextID​(java.lang.String contextID)

        Authorization protected method used to modify the value of the policy context identifier associated with the thread on which this method is called.

        Parameters:
        contextID - - a String that represents the value of the policy context identifier to be assigned to the PolicyContext for the calling thread. The value null is a legitimate value for this parameter.
        Throws:
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method.

      • setHandlerData

        public static void setHandlerData​(java.lang.Object data)

        Authorization protected method that may be used to associate a thread-scoped handler data object with the PolicyContext. The handler data object will be made available to handlers, where it can serve to supply or bind the handler to invocation scoped state within the container.

        Parameters:
        data - - a container-specific object that will be associated with the calling thread and passed to any handler activated by a Policy provider (on the thread). The value null is a legitimate value for this parameter, and is the value that will be used in the activation of handlers if the setHandlerData has not been called on the thread.
        Throws:
        java.lang.SecurityException - - if the calling AccessControlContext is not authorized by the container to call this method.