You can implement a custom security context in a similar way like the access rules provider. You only have to implement the interface net.sf.jpasecurity.configuration.SecurityContext and specify the property in your persistence.xml with the classname of your implementation of the interface net.sf.jpasecurity.configuration.SecurityContext. Take a look at its javadoc documentation for further reference.

Accessing persistence properties

As your access rules provider your custom security context may need additional configuration parameters, too. You also can define them via the persistence properties in your persistence.xml. Again you have to implement the interface net.sf.jpasecurity.persistence.PersistenceInformationReceiver to have the persistence properties injected when your security context is initialized.


Implementing a servlet-filter security context">

The following code shows how to implement a security context that reads its authentication information from the HttpSession.

public class SecurityContextFilter implements SecurityContext, Filter {

    private static final Alias PRINCIPAL_ALIAS = new Alias("principal");
    private static final Alias ROLES_ALIAS = new Alias("roles");
    private static final Alias TENANT_ALIAS = new Alias("tenant");
    private static final Collection<Alias> ALIASES
      = Collections.unmodifiableList(Arrays.asList(PRINCIPAL_ALIAS, ROLES_ALIAS, TENANT_ALIAS));
    private static ThreadLocal<HttpSession> session = new ThreadLocal<HttpSession>();

    public Collection<Alias> getAliases() {
        return ALIASES;

    public Object getAliasValue(Alias alias) {
        HttpSession session = SecurityContextFilter.session.get();
        if (session == null) {
            return null;
        return session.getAttribute(alias.getName());

    public Collection<?> getAliasValues(Alias alias) {
        Object aliasValue = getAliasValue(alias);
        if (aliasValue instanceof Collection) {
            return (Collection<?>)aliasValue;
        } else if (aliasValue == null) {
            return null;
        } else if (aliasValue.getClass().isArray()) {
            return Arrays.asList((Object[])aliasValue);
        } else {
            return Collections.singleton(aliasValue);

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        try {
            if (request instanceof HttpServletRequest) {
                HttpServletRequest httpRequest = (HttpServletRequest)request;
            chain.doFilter(request, response);
        } finally {

    public void init(FilterConfig config) throws ServletException {

    public void destroy() {

You now have to specify the class as web filter in your web.xml.

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4"





Now your login-process may store the authentication information (the principal, roles and tenant) in the HttpSession and you are done.