4.37 - Create Session Role Constraint

An example of combining limited ABAC capability with standard RBAC.

Session createSession( User user, List<RoleConstraint> constraints, boolean isTrusted ) throws SecurityException;

Perform user authentication and role activations in one method plus additional attribute constraints for evaluation. This method must be called once per user prior to calling other methods within this class. The successful result is Session that contains target user’s RBAC roles. In addition to checking user password validity it will apply configured password policy checks.


  • user - Contains User.userId, User.password (optional if isTrusted is ‘true’), optional User.roles, optional User.adminRoles
  • constraints - list of key-value pairs bound for role activation checks.
  • isTrusted - For Single-sign-on scenarios. if true, password is not required.


  • Session object will contain:
    • authentication result code Session.errorId
    • RBAC role activations Session.getRoles()
    • Admin Role activations Session.getAdminRoles()
    • Password policy codes Session.warnings, Session.expirationSeconds, Session.graceLogins
    • User entity information Session.getUser()


  • SecurityException - in the event of data validation failure, security policy violation or DAO error.

createSession (constrained)

import org.apache.directory.fortress.core.AccessMgr;
import org.apache.directory.fortress.core.AccessMgrFactory;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.model.Session;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.RoleConstraint;

public void createSessionConstrainedTest(String userId, String password, String key, String value)
    String szLocation = ".createSessionConstrainedTest";
        // Instantiate the AccessMgr implementation which perform runtime operations.
        AccessMgr accessMgr = AccessMgrFactory.createInstance();

        // The User entity is used to pass data into the createSession API.
        User user = new User(userId, password);

        // dynamic constraint pushed into the runtime context of fortress:
        List<RoleConstraint> constraints = new ArrayList();
        RoleConstraint constraint = new RoleConstraint();
        constraint.setKey( key );
        constraint.setValue( value );
        constraints.add( constraint );
        // This API will return a Session object that contains the User's activated Roles and other info.
        // One or more of these roles are validated by runtime attributes (role constraints).
        Session session = accessMgr.createSession( user, constraints, false );
    catch (SecurityException ex)
        LOG.error(szLocation + " userId [" + userId + "]  caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);