See wam Menu

Using WAM Session Attributes

In addition to referencing the authenticated Subject, creation time, last touched time, and so forth, WAM Sessions are also a container for attributes.

Session attributes provide a way to associate values that can be accessed by session event handlers, access control rules, services, agents, and applications.

One common use for session attributes is to store user profile information at authentication time, then access the stored values from a web application on a web server protected using a WAM agent.

To help avoid naming conflicts, session attributes are organized into namespaces. You might decide to segregate all user profile information into a namespace called userinfo. You might also use a namespace called webapp1 to store attributes that are specific to a particular web application.

By convention, the namepace cams is reserved for use by WAM, so avoid inserting attributes there.

Setting/Getting WAM Session Attributes

Example 1 shows how you can set and get WAM Session attributes. The code assumes you’ve got access to a Session via the WAM Access Control Rule API or a ManagedSessionEventHandler within this API.

Attributes are added to two different namespaces: userinfo and webapp1.


import com.cafesoft.cams.session.ManagedSession;


ManagedSession session = ...;  // Obtained via WAM API-specific method 
                               // (See examples 2-3)

// Add session attributes
session.putAttribute("userinfo", "first-name", "Fred");
session.putAttribute("userinfo", "last-name", "Flintstone");
session.putAttribute("userinfo", "gender", "M");
session.putAttribute("webapp1", "admin-email", "");

// Get specific session attributes
String firstName = session.getAttribute("userinfo", "first-name");
String lastName = session.getAttribute("userinfo", "lastName");
String gender = session.getAttribute("userinfo", "gender");
String adminEmail = session.getAttribute("webapp1", "admin-email");

// If an attribute is not defined, null is returned
String nullValue = session.getAttribute("webapp1", "undefined attribute");

// Print out all attributes
String[] namespace = session.getNamespaces();
for (int i = 0; i < namespace.length; i++)
   String[] attrName = session.getAttributeNames(namespace[i]);
   for (int j = 0; j < attrName.length; j++)
      String attrValue = (String)session.getAttribute(namespace[i], attrName[j]);
      System.out.println("Namespace: " + namespace[i] + ", " + 
          attrName[j] + "=" + attrValue);

Example 1 - Setting and Getting Session Attributes

Accessing a WAM Session from a ManagedSessionEventHandler

In ManagedSessionEventHandlers, a WAM ManagedSession is accessible from a ManagedSessionEvent as shown in Example 2.


import com.cafesoft.cams.session.ManagedSession;
import com.cafesoft.cams.session.ManagedSessionEvent;


   public void handleManagedSessionEvent(ManagedSessionEvent event)

      ManagedSession session = event.getManagedSession();


Example 2 - Accessing a ManagedSession from a ManagedSessionEventHandler

Accessing a WAM Session from an AccessControlRule

In AccessControlRules, a WAM ManagedSession is accessible from an AccessRequest as shown in Example 3. If the value is null, then no session is associated with the request, meaning the user has not authenticated.


import com.cafesoft.cams.session.ManagedSession;

import com.cafesoft.cams.access.AccessRequest;
import com.cafesoft.cams.access.AccessResponse;
import com.cafesoft.cams.access.EvaluationException;


    * Evaluate the "Ladies Only" AccessControlRule.
    * @param accessRequest the access request.
    * @param accessResponse the access response.
    * @return true if the authenticated user's is a lady (female) according to
    *   session attribute: namespace=userinfo, gender=F 
    * @exception EvaluationException if the user is not authenticated or some other
    *   error when attempting to evaluate the rule.
   public boolean evaluate(AccessControlRequest accessRequest,
      AccessControlResponse accessResponse) throws EvaluationException
      ManagedSession session = accessRequest.getSession();
      if (session == null)
         // A session is required for this access control rule, so
         // throw an EvaluationException that will force authentication.
         throw new EvaluationException("authentication required",

      // Return true if a session attribute indicates the user is female
      return "F".equalsIgnoreCase(session.getAttribute("userinfo", "gender"));

Example 3 - Accessing a ManagedSession from an AccessControlRule

Have a Question?

Have a how-to question? Seeing a weird error? Contact us.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.