Class DefaultSessionContext

    • Constructor Detail

      • DefaultSessionContext

        public DefaultSessionContext()
      • DefaultSessionContext

        public DefaultSessionContext(Map<String,Object> map)
    • Method Detail

      • getHost

        public String getHost()
        Description copied from interface: SessionContext
        Returns the originating host name or IP address (as a String) from where the Subject is initiating the Session.

        See the setHost(String) JavaDoc for more about security policies based on the Session host.
        Specified by:
        getHost in interface SessionContext
        Returns:
        the originating host name or IP address (as a String) from where the Subject is initiating the Session.
        See Also:
        setHost(String)
      • setHost

        public void setHost(String host)
        Description copied from interface: SessionContext
        Sets the originating host name or IP address (as a String) from where the Subject is initiating the Session.

        In web-based systems, this host can be inferred from the incoming request, e.g. javax.servlet.ServletRequest#getRemoteAddr() or javax.servlet.ServletRequest#getRemoteHost() methods, or in socket-based systems, it can be obtained via inspecting the socket initiator's host IP.

        Most secure environments should specify a valid, non-null host, since knowing the host allows for more flexibility when securing a system: by requiring an host, access control policies can also ensure access is restricted to specific client locations in addition to Subject principals, if so desired.

        Caveat - if clients to your system are on a public network (as would be the case for a public web site), odds are high the clients can be behind a NAT (Network Address Translation) router or HTTP proxy server. If so, all clients accessing your system behind that router or proxy will have the same originating host. If your system is configured to allow only one session per host, then the next request from a different NAT or proxy client will fail and access will be denied for that client. Just be aware that host-based security policies are best utilized in LAN or private WAN environments when you can be ensure clients will not share IPs or be behind such NAT routers or proxy servers.
        Specified by:
        setHost in interface SessionContext
        Parameters:
        host - the originating host name or IP address (as a String) from where the Subject is initiating the Session.