On this page:

20.0Security Attributes


There are several places where user-supplied Java code will be executed in the context of an authenticated request:

User-supplied java code will have access to a HAPI FHIR RequestDetails object that can be queried for details about the authenticated session.

The following example shows a hybrid providers create method that obtains the session details from the RequestDetails object.

	public MethodOutcome createPatient(@ResourceParam Patient thePatient, RequestDetails theRequest) {

      // Obtain the session details
		String userSessionJson = (String) theRequest.getAttribute("ca.cdr.servletattribute.usersession.json");
		UserSessionDetailsJson userSessionObject = (UserSessionDetailsJson) theServletRequest.getAttribute("ca.cdr.servletattribute.usersession.object");

The following attributes are available:

User-Authenticated Sessions

  • ca.cdr.servletattribute.usersession.json – Contains a Java string representing the JSON encoded user session object. This object is of type UserSessionDetails.

  • ca.cdr.servletattribute.usersession.object – Contains a Java UserSessionDetails object representing the user session.

Client-Authenticated Sessions

  • Details about the calling client are not currently available. Please get in touch if you require this.

SMART Authenticated Sessions

Sessions that have been authenticated using a SMART OpenID Connect authentication (including both User-Authenticated Sessions and Client-Authenticated Sessions) will additionally have access to the following attributes.

  • ca.cdr.servletattribute.session.oidc.tokenclaimset.object – Contains a JOSE SignedJWT containing the claim set that was parsed from the validated OpenID Connect Access Token.

  • ca.cdr.servletattribute.session.oidc.tokenclaimset.json – Contains a Java String containing the raw claim set (as a JSON encoded string) that was parsed from the validated OpenID Connect Access Token.