Package oracle.wcc.ridc.adfca.session.auth

Class ImpersonationADFSecurityContextCredentialProvider

java.lang.Object
oracle.wcc.ridc.adfca.session.auth.ImpersonationADFSecurityContextCredentialProvider
All Implemented Interfaces:
RidcCredentialProvider
public class ImpersonationADFSecurityContextCredentialProvider extends Object implements RidcCredentialProvider
Warning 1 - Be very careful with sticky impersonation:
Should the session associated with an IdcContext expire, it is possible with certain RIDC protocols that the connection may be silently re-established using the actual impersonator user rather than the impersonatee intended. Subsequently, the request to UCM will go across using the impersonator user rather than the impersonatee (person being impersonated) which could have bad security consequences.

Warning 2 - If the end-user is able to inject properties in to the DataBinder without sanitization, and sticky impersonation is active, a malicious end-user could supply the property "StickyImpersonation" with value "false" in a request, which would restore the connection back as the impersonator user.

  • Constructor Details

    • ImpersonationADFSecurityContextCredentialProvider

      public ImpersonationADFSecurityContextCredentialProvider()

  • Method Details

    • getCredential

      public IdcContext getCredential(RidcConnection connection, boolean anonymousFallbackAllowed)
      Description copied from interface: RidcCredentialProvider
      Get a suitable credential for the connected ADF session-scope party to use for a session pool session
      Specified by:
      getCredential in interface RidcCredentialProvider
      Parameters:
      connection - the connection associated with the credential request
      anonymousFallbackAllowed - whether if a suitable credential cannot be identified to fallback to the anonymous IdcContext credential
      Returns:
      an IdcContext credential to leverage, or null if no suitable/valid credential could be determined.