The container calls this method to set up the security Context for the
Work
instance.
The handler argument must not be null, and the argument handler and the
CallbackHandler
passed to this method must support the
following Callback
s defined in JSR 196: Java Authentication
SPI for Containers specification:
- CallerPrincipalCallback
- GroupPrincipalCallback
- PasswordValidationCallback
The following
Callback
s may be supported by the container.
- CertStoreCallback
- PrivateKeyCallback
- SecretKeyCallback
- TrustStoreCallback
A resource adapter might use the CallerPrincipalCallback
“to
set the container's representation of the caller principal. The
CallbackHandler must establish the argument Principal as the caller
principal associated with the invocation being processed by the
container. When the argument Principal is null, the handler will
establish the container's representation of the unauthenticated caller
principal.”
A resource adapter might use the GroupPrincipalCallback
“to
establish the container's representation of the corresponding group
principals within the Subject. When a null value is passed to the groups
argument, the handler will establish the container's representation of no
group principals within the Subject. Otherwise, the handler's processing
of this callback is additive, yielding the union (without duplicates) of
the principals existing within the Subject, and those created with the
names occuring within the argument array. The CallbackHandler will define
the type of the created principals.”
A resource adapter might use the PasswordValidationCallback
“to employ the password validation facilities of its containing runtime.”
The executionSubject argument must be non-null and it must not be
read-only. It is expected that this method will populate this
executionSubject with principals and credentials that would be flown into
the application server.
The serviceSubject argument may be null. If it is not null, it must not be read-
only. It represents the application server’s credentials and it may be used by the
Work implementation to retrieve Principals and credentials necessary to establish
a connection to the EIS (in the cause of mutual-auth like scenarios). The
serviceSubject may contain the credentials of the application server or the
SecurityContext implementation may collect the service credentials, as
necessary, by using the CallbackHandler passed to it.
When this method is called, the method implementation
- identifies the security context that needs to be flown-in to the
application server to serve as the execution context of the Work
instance.
- populates the executionSubject with the EIS Principals and
Credentials that it wants to serve as the security context for the Work
instance to be executed in.
- adds instances of the necessary Callbacks , usually a subset of the
ones listed above, to an array and invokes the handle() method in the
container's CallbackHandler implementation passing in the array of
Callback instances.
- on sucessful return from the CallbackHandler.handle() method the
setSecurityContext returns after ensuring that the executionSubject is
populated with the valid Principals and Credentials that represent the
execution context of the Work instance