Infrastructure Configuration
Detailed property reference for Contexa's infrastructure layer — caching, Redis pub/sub and streams, Kafka event topics, and OpenTelemetry observability. These properties control how Contexa communicates with external systems in a distributed deployment.
Enable distributed mode (PoC / enterprise demo) — Run contexa init --distributed and the CLI will:
- Dependencies — automatically add
spring-kafkaandredissonto your build file. - Infrastructure — generate a
docker-compose.ymlwith PostgreSQL + Ollama + Redis + Kafka + Zookeeper. - Configuration — set
contexa.infrastructure.mode: DISTRIBUTEDand the Redis / Kafka hosts inside the Contexa-managed block ofapplication.yml.
The properties on this page apply once distributed mode is enabled. For production, use Kubernetes + Helm.
Contexa Core Properties (Summary)
The top-level ContexaProperties class (prefix contexa) contains the master switches for infrastructure mode, Redis, Kafka, and observability. These properties are fully documented on the Configuration Overview page. Key infrastructure-related entries include:
| Property | Type | Default | Description |
|---|---|---|---|
contexa (master) | |||
contexa.enabled |
boolean |
true |
Top-level master switch for the entire Contexa auto-configuration. When false, every sub-module is disabled. |
contexa.infrastructure | |||
.mode |
enum |
STANDALONE |
STANDALONE (in-memory) or DISTRIBUTED (Redis/Kafka) |
.redis.enabled |
boolean |
true |
Enable Redis for distributed caching and pub/sub |
.kafka.enabled |
boolean |
true |
Enable Kafka for event streaming in distributed mode |
.observability.enabled |
boolean |
true |
Enable observability infrastructure |
.observability.open-telemetry-enabled |
boolean |
true |
Enable OpenTelemetry for distributed tracing |
See the Configuration Overview for the complete ContexaProperties reference.
Cache Properties
Properties under contexa.cache, bound to ContexaCacheProperties. Controls the multi-tier caching subsystem used throughout Contexa for identity, policy, and behavioral data. Supports local (Caffeine), Redis, and hybrid caching strategies with optional pub/sub-based cache invalidation.
General Settings
| Property | Type | Default | Description |
|---|---|---|---|
contexa.cache | |||
.type |
CacheType |
REDIS |
LOCAL, REDIS, or HYBRID (L1 local + L2 Redis) |
.local.max-size |
int |
1000 |
Max entries in the local (L1) cache |
.local.default-ttl-seconds |
int |
60 |
Default TTL (seconds) for local cache entries |
.redis.default-ttl-seconds |
int |
300 |
Default TTL (seconds) for Redis cache entries |
.redis.key-prefix |
String |
contexa:cache: |
Prefix for all Redis cache keys (namespace isolation) |
.pubsub.enabled |
boolean |
true |
Enable pub/sub cache invalidation across cluster nodes |
.pubsub.channel |
String |
contexa:cache:invalidation |
Pub/sub channel for cache invalidation broadcasts |
Domain-Specific TTL
Each cache domain can have independent TTL values for local and Redis tiers. This allows fine-grained control — for example, frequently changing policy data can use shorter TTLs while stable HCAD baseline data uses longer ones.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.cache.domains | |||
.users |
TtlConfig |
local: 3600 / redis: 3600 |
User identity and profile data |
.roles |
TtlConfig |
local: 14400 / redis: 14400 |
Role definitions and permission mappings |
.permissions |
TtlConfig |
local: 28800 / redis: 28800 |
Permission grants and access control entries |
.groups |
TtlConfig |
local: 14400 / redis: 14400 |
Group membership and hierarchy data |
.policies |
TtlConfig |
local: 30 / redis: 300 |
XACML/ABAC policy definitions (short local TTL) |
.soar |
TtlConfig |
local: 900 / redis: 900 |
SOAR playbook and automated response data |
.hcad |
TtlConfig |
local: 86400 / redis: 86400 |
HCAD behavioral baselines (long-lived profiles) |
Each domain entry is a TtlConfig object with local-ttl-seconds and redis-ttl-seconds fields. Override any domain independently:
contexa:
cache:
type: HYBRID
local:
max-size: 5000
default-ttl-seconds: 120
redis:
default-ttl-seconds: 600
key-prefix: "myapp:contexa:cache:"
pubsub:
enabled: true
channel: "contexa:cache:invalidation"
domains:
users:
local-ttl-seconds: 1800
redis-ttl-seconds: 3600
policies:
local-ttl-seconds: 15
redis-ttl-seconds: 60
hcad:
local-ttl-seconds: 43200
redis-ttl-seconds: 86400
Bridge Properties
BridgeProperties is bound to contexa.bridge. It controls the bridge layer that maps user, authority, delegation, and session information bidirectionally between an external (legacy) authentication system and Contexa. The properties define SecurityContext extraction keys, session attribute candidates, request-attribute keys, HTTP header names, sync policy, and the trusted-proxy list.
Bridge Core Toggles
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.enabled | boolean | true | Master switch for the entire bridge layer. |
contexa.bridge.populate-security-context | boolean | true | Whether to populate Spring SecurityContext from the external principal. |
Synchronization (Sync)
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.sync.enabled | boolean | true | Enables periodic synchronization of external user information. |
contexa.bridge.sync.min-refresh-interval-seconds | long | 60 | Minimum seconds between sync calls for the same principal — acts as a throttle. |
contexa.bridge.sync.synthetic-email-domain | String | shadow.contexa.local | Domain suffix used to synthesize an email address when none is provided externally. |
Trusted Proxies (Network)
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.network.trusted-proxy-validation-enabled | boolean | true | Whether to validate the reverse-proxy origin before trusting X-Forwarded-* headers. |
contexa.bridge.network.trusted-proxies | List<String> | [] (empty list) | Trusted reverse-proxy IPs or CIDR ranges. When empty, headers are not trusted even if validation is enabled. |
Authentication SecurityContext Keys
Properties under contexa.bridge.authentication.security-context, bound to Authentication.SecurityContext. Defines the candidate keys used to extract display name, principal type, authentication method, assurance level, MFA state, authentication time, and additional attributes from the external token's claims/attributes. The first matching key wins.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authentication.security-context.enabled | boolean | true | Enables SecurityContext extraction. |
contexa.bridge.authentication.security-context.display-name-keys | List<String> | [displayName, name, fullName, userName, username, preferred_username] | Candidate keys used to extract the display name. |
contexa.bridge.authentication.security-context.principal-type-keys | List<String> | [principalType, userType, actorType, token_use] | Candidate keys used to extract the principal type (user / service / agent, etc.). |
contexa.bridge.authentication.security-context.authentication-type-keys | List<String> | [authenticationType, authMethod, loginMethod, method, factorType] | Candidate keys used to extract the authentication method. |
contexa.bridge.authentication.security-context.authentication-assurance-keys | List<String> | [authenticationAssurance, authLevel, loa, acr] | Candidate keys used to extract the authentication assurance level (LoA/ACR). |
contexa.bridge.authentication.security-context.mfa-keys | List<String> | [mfa, mfaVerified, mfaCompleted, secondFactorVerified, amr] | Candidate keys used to extract MFA-completion state. |
contexa.bridge.authentication.security-context.auth-time-keys | List<String> | [authenticationTime, authenticatedAt, loginTime, issuedAt, auth_time, iat] | Candidate keys used to extract the authentication time. |
contexa.bridge.authentication.security-context.attribute-keys | List<String> | [organizationId, orgId, tenantId, department, team, email, loginIp, authenticationType, authenticationAssurance, mfaVerified, mfaCompleted, authenticatedAt, loginTime, iss, aud, azp, scope, scp, amr, acr] | Additional attribute keys preserved in the SecurityContext (20 entries by default). |
Authentication Session Keys
Properties under contexa.bridge.authentication.session, bound to the shared Bridge.Session class. When an external system stores the authenticated user object as an HTTP session attribute, these keys define which attribute names to try and which keys to use to extract principal id, display name, authorities, authentication method, MFA state, authentication time, and additional attributes from that object.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authentication.session.enabled | boolean | true | Enables HTTP-session-based user extraction. |
contexa.bridge.authentication.session.attribute | String | "" (empty) | Explicit session-attribute name where the user object is stored. When empty and auto-discover is true, the candidate list is tried. |
contexa.bridge.authentication.session.attribute-candidates | List<String> | [currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal] | Candidate attribute names tried in auto-discover mode. |
contexa.bridge.authentication.session.auto-discover | boolean | true | Whether to walk the candidate-attribute list automatically. |
contexa.bridge.authentication.session.object-type-name | String | "" (empty) | Optional fully-qualified class name the discovered object must match. |
contexa.bridge.authentication.session.principal-id-keys | List<String> | [userId, username, id, loginId, email] | Candidate keys used to extract the principal identifier from the session object. |
contexa.bridge.authentication.session.display-name-keys | List<String> | [displayName, name, fullName, userName, preferred_username] | Candidate keys used to extract the display name. |
contexa.bridge.authentication.session.authorities-keys | List<String> | [roles, authorities, permissions, scopes] | Candidate keys used to extract authorities, roles, or scopes. |
contexa.bridge.authentication.session.authentication-type-keys | List<String> | [authenticationType, authMethod, loginMethod] | Candidate keys used to extract the authentication method. |
contexa.bridge.authentication.session.authentication-assurance-keys | List<String> | [authenticationAssurance, authLevel, loa] | Candidate keys used to extract the authentication assurance level. |
contexa.bridge.authentication.session.mfa-keys | List<String> | [mfa, mfaVerified, mfa_verified] | Candidate keys used to extract MFA-completion state. |
contexa.bridge.authentication.session.auth-time-keys | List<String> | [authenticationTime, authenticatedAt, loginTime] | Candidate keys used to extract the authentication time. |
contexa.bridge.authentication.session.attribute-keys | List<String> | [department, organizationId, orgId, authMethod, loginIp, loginTime] | Additional attribute keys preserved in the SecurityContext. |
Authentication RequestAttributes Keys
Properties under contexa.bridge.authentication.request-attributes, bound to the shared Bridge.RequestAttributes class. Defines which attribute candidates to try when an external filter stores the user object on HttpServletRequest, which keys to read from that object, and which flat key names Contexa uses when re-exposing values back as request attributes.
Discovery / Extraction (13 shared)
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authentication.request-attributes.enabled | boolean | true | Enables request-attribute-based user extraction. |
contexa.bridge.authentication.request-attributes.attribute | String | "" (empty) | Explicit request-attribute name where the user object is stored. |
contexa.bridge.authentication.request-attributes.attribute-candidates | List<String> | [currentUser, authenticatedUser, requestUser, principal, user, authenticatedPrincipal, authUser] | Candidate attribute names tried in auto-discover mode. |
contexa.bridge.authentication.request-attributes.auto-discover | boolean | true | Whether to walk the candidate-attribute list automatically. |
contexa.bridge.authentication.request-attributes.object-type-name | String | "" (empty) | Optional fully-qualified class name the discovered object must match. |
contexa.bridge.authentication.request-attributes.principal-id-keys | List<String> | [userId, username, id, loginId, email] | Candidate keys used to extract the principal identifier. |
contexa.bridge.authentication.request-attributes.display-name-keys | List<String> | [displayName, name, fullName, userName, preferred_username] | Candidate keys used to extract the display name. |
contexa.bridge.authentication.request-attributes.authorities-keys | List<String> | [roles, authorities, permissions, scopes] | Candidate keys used to extract authorities, roles, or scopes. |
contexa.bridge.authentication.request-attributes.authentication-type-keys | List<String> | [authenticationType, authMethod, loginMethod] | Candidate keys used to extract the authentication method. |
contexa.bridge.authentication.request-attributes.authentication-assurance-keys | List<String> | [authenticationAssurance, authLevel, loa] | Candidate keys used to extract the authentication assurance level. |
contexa.bridge.authentication.request-attributes.mfa-keys | List<String> | [mfa, mfaVerified, mfa_verified] | Candidate keys used to extract MFA-completion state. |
contexa.bridge.authentication.request-attributes.auth-time-keys | List<String> | [authenticationTime, authenticatedAt, loginTime] | Candidate keys used to extract the authentication time. |
contexa.bridge.authentication.request-attributes.attribute-keys | List<String> | [department, organizationId, orgId, authMethod, loginIp, loginTime] | Additional attribute keys preserved in the SecurityContext. |
Flat authentication attribute keys (flat-*, 8)
Single key names Contexa uses when flattening values back onto request attributes so downstream components can read them directly.
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.request-attributes.flat-principal-id | ctxa.auth.principalId | Principal identifier. |
contexa.bridge.authentication.request-attributes.flat-display-name | ctxa.auth.displayName | Display name. |
contexa.bridge.authentication.request-attributes.flat-authenticated | ctxa.auth.authenticated | Authenticated boolean. |
contexa.bridge.authentication.request-attributes.flat-authorities | ctxa.auth.authorities | Authorities collection. |
contexa.bridge.authentication.request-attributes.flat-authentication-type | ctxa.auth.type | Authentication method. |
contexa.bridge.authentication.request-attributes.flat-authentication-assurance | ctxa.auth.assurance | Authentication assurance level. |
contexa.bridge.authentication.request-attributes.flat-mfa-completed | ctxa.auth.mfaCompleted | MFA completion state. |
contexa.bridge.authentication.request-attributes.flat-authentication-time | ctxa.auth.time | Authentication time. |
Authorization mapping keys (7)
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.request-attributes.authorization-effect | ctxa.authz.effect | Authorization decision effect (ALLOW/DENY). |
contexa.bridge.authentication.request-attributes.privileged | ctxa.authz.privileged | Whether this is a privileged flow. |
contexa.bridge.authentication.request-attributes.policy-id | ctxa.authz.policyId | ID of the matching policy. |
contexa.bridge.authentication.request-attributes.policy-version | ctxa.authz.policyVersion | Policy version. |
contexa.bridge.authentication.request-attributes.scope-tags | ctxa.authz.scopeTags | Scope tags. |
contexa.bridge.authentication.request-attributes.effective-roles | ctxa.authz.roles | Effective role set. |
contexa.bridge.authentication.request-attributes.effective-authorities | ctxa.authz.authorities | Effective authority set. |
Delegation mapping keys (11)
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.request-attributes.delegated | ctxa.delegation.enabled | Whether delegation is active. |
contexa.bridge.authentication.request-attributes.agent-id | ctxa.delegation.agentId | Delegated agent ID. |
contexa.bridge.authentication.request-attributes.objective-id | ctxa.delegation.objectiveId | Delegation objective ID. |
contexa.bridge.authentication.request-attributes.objective-family | ctxa.delegation.objectiveFamily | Objective family / type. |
contexa.bridge.authentication.request-attributes.objective-summary | ctxa.delegation.objectiveSummary | Objective summary. |
contexa.bridge.authentication.request-attributes.allowed-operations | ctxa.delegation.allowedOperations | Permitted operations list. |
contexa.bridge.authentication.request-attributes.allowed-resources | ctxa.delegation.allowedResources | Permitted resources list. |
contexa.bridge.authentication.request-attributes.approval-required | ctxa.delegation.approvalRequired | Whether approval is required. |
contexa.bridge.authentication.request-attributes.privileged-export-allowed | ctxa.delegation.privilegedExportAllowed | Whether privileged export is allowed. |
contexa.bridge.authentication.request-attributes.containment-only | ctxa.delegation.containmentOnly | Containment-only restriction flag. |
contexa.bridge.authentication.request-attributes.expires-at | ctxa.delegation.expiresAt | Delegation expiry instant. |
Authentication HTTP Header Names
Properties under contexa.bridge.authentication.headers, bound to the shared Bridge.Headers class. Defines which header names Contexa reads from (and emits onto) HTTP traffic when a reverse proxy or gateway propagates authentication, authorization, or delegation context. All header names are configurable.
Toggle
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authentication.headers.enabled | boolean | true | Enables HTTP-header-based extraction and emission. |
Authentication headers (8)
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.headers.principal-id | X-Contexa-Principal-Id | Principal-identifier header. |
contexa.bridge.authentication.headers.display-name | X-Contexa-Principal-Name | Display-name header. |
contexa.bridge.authentication.headers.authenticated | X-Contexa-Authenticated | Authenticated boolean header. |
contexa.bridge.authentication.headers.authorities | X-Contexa-Authorities | Authorities collection header. |
contexa.bridge.authentication.headers.authentication-type | X-Contexa-Authentication-Type | Authentication-method header. |
contexa.bridge.authentication.headers.authentication-assurance | X-Contexa-Authentication-Assurance | Authentication-assurance header. |
contexa.bridge.authentication.headers.mfa-completed | X-Contexa-Mfa-Completed | MFA-completion header. |
contexa.bridge.authentication.headers.authentication-time | X-Contexa-Authenticated-At | Authentication-time header. |
Authorization headers (7)
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.headers.authorization-effect | X-Contexa-Authz-Effect | Authorization-effect header. |
contexa.bridge.authentication.headers.privileged | X-Contexa-Authz-Privileged | Privileged-flow boolean header. |
contexa.bridge.authentication.headers.policy-id | X-Contexa-Authz-Policy | Matching-policy ID header. |
contexa.bridge.authentication.headers.policy-version | X-Contexa-Authz-Policy-Version | Policy-version header. |
contexa.bridge.authentication.headers.scope-tags | X-Contexa-Authz-Scope | Scope-tag header. |
contexa.bridge.authentication.headers.effective-roles | X-Contexa-Authz-Roles | Effective-roles header. |
contexa.bridge.authentication.headers.effective-authorities | X-Contexa-Authz-Authorities | Effective-authorities header. |
Delegation headers (11)
| Property | Default | Description |
|---|---|---|
contexa.bridge.authentication.headers.delegated | X-Contexa-Delegated | Delegation-active header. |
contexa.bridge.authentication.headers.agent-id | X-Contexa-Agent-Id | Delegated-agent ID header. |
contexa.bridge.authentication.headers.objective-id | X-Contexa-Objective-Id | Objective ID header. |
contexa.bridge.authentication.headers.objective-family | X-Contexa-Objective-Family | Objective family / type header. |
contexa.bridge.authentication.headers.objective-summary | X-Contexa-Objective-Summary | Objective summary header. |
contexa.bridge.authentication.headers.allowed-operations | X-Contexa-Allowed-Operations | Permitted-operations header. |
contexa.bridge.authentication.headers.allowed-resources | X-Contexa-Allowed-Resources | Permitted-resources header. |
contexa.bridge.authentication.headers.approval-required | X-Contexa-Approval-Required | Approval-required header. |
contexa.bridge.authentication.headers.privileged-export-allowed | X-Contexa-Privileged-Export-Allowed | Privileged-export-allowed header. |
contexa.bridge.authentication.headers.containment-only | X-Contexa-Containment-Only | Containment-only header. |
contexa.bridge.authentication.headers.expires-at | X-Contexa-Delegation-Expires-At | Delegation-expiry header. |
Authorization SecurityContext Keys
Properties under contexa.bridge.authorization.security-context, bound to Authorization.SecurityContext. When an external system stores authorization decisions (effect, policy ID, authorities, etc.) as attributes on the Spring SecurityContext Authentication, these keys define which candidate names Contexa tries to read that information. The first matching key wins.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authorization.security-context.enabled | boolean | true | Enables SecurityContext-based authorization extraction. |
contexa.bridge.authorization.security-context.authorization-effect-keys | List<String> | [authorizationEffect, effect, decision, decisionEffect] | Candidate keys used to extract the authorization effect (ALLOW/DENY). |
contexa.bridge.authorization.security-context.privileged-keys | List<String> | [privileged, isPrivileged, privilegedFlow] | Candidate keys used to extract the privileged-flow boolean. |
contexa.bridge.authorization.security-context.policy-id-keys | List<String> | [policyId, policy, decisionPolicy] | Candidate keys used to extract the matching policy ID. |
contexa.bridge.authorization.security-context.policy-version-keys | List<String> | [policyVersion, version] | Candidate keys used to extract the policy version. |
contexa.bridge.authorization.security-context.scope-tag-keys | List<String> | [scopeTags, scopes, scope, permissionScopes, scp] | Candidate keys used to extract scope tags. |
contexa.bridge.authorization.security-context.role-keys | List<String> | [effectiveRoles, roles, roleSet, groups] | Candidate keys used to extract the effective role set. |
contexa.bridge.authorization.security-context.authority-keys | List<String> | [effectiveAuthorities, authorities, permissions, grantedAuthorities, scope, scp] | Candidate keys used to extract the effective authority set. |
contexa.bridge.authorization.security-context.attribute-keys | List<String> | [authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, scope, scp, roles, effectiveRoles, permissions, effectiveAuthorities] | Additional attribute keys preserved in the authorization context (13 defaults). |
Authorization Session Keys
Properties under contexa.bridge.authorization.session, bound to Authorization.Session. When an external system stores authorization decisions on a session-scoped user object, these keys define which attribute candidates to try and which keys to read for effect, policy, scope, role, and authority extraction.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.authorization.session.enabled | boolean | true | Enables session-based authorization extraction. |
contexa.bridge.authorization.session.attribute | String | "" (empty) | Explicit session attribute name carrying the user object. |
contexa.bridge.authorization.session.attribute-candidates | List<String> | [currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal] | Candidate attribute names tried in auto-discover mode. |
contexa.bridge.authorization.session.auto-discover | boolean | true | Whether to walk the candidate-attribute list automatically. |
contexa.bridge.authorization.session.object-type-name | String | "" (empty) | Optional fully-qualified class name the discovered object must match. |
contexa.bridge.authorization.session.principal-id-keys | List<String> | [userId, username, id, loginId, email] | Candidate keys used to extract the principal identifier. |
contexa.bridge.authorization.session.authorization-effect-keys | List<String> | [authorizationEffect, effect, decision, decisionEffect] | Candidate keys used to extract the authorization effect. |
contexa.bridge.authorization.session.privileged-keys | List<String> | [privileged, isPrivileged, privilegedFlow] | Candidate keys used to extract the privileged flag. |
contexa.bridge.authorization.session.policy-id-keys | List<String> | [policyId, policy, decisionPolicy] | Candidate keys used to extract the policy ID. |
contexa.bridge.authorization.session.policy-version-keys | List<String> | [policyVersion, version] | Candidate keys used to extract the policy version. |
contexa.bridge.authorization.session.scope-tag-keys | List<String> | [scopeTags, scopes, scope, permissionScopes] | Candidate keys used to extract scope tags (note: scp is not included here, unlike Authorization.SecurityContext). |
contexa.bridge.authorization.session.role-keys | List<String> | [effectiveRoles, roles, roleSet] | Candidate keys used to extract the effective role set (no groups). |
contexa.bridge.authorization.session.authority-keys | List<String> | [effectiveAuthorities, authorities, permissions, grantedAuthorities] | Candidate keys used to extract the effective authority set (no scope, scp). |
contexa.bridge.authorization.session.attribute-keys | List<String> | [authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, roles, effectiveRoles, permissions, effectiveAuthorities, organizationId, orgId, tenantId, department, team] | Additional attribute keys preserved in the authorization context (16 defaults). |
Authorization RequestAttributes / Headers
Authorization reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults are identical to the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:
contexa.bridge.authorization.request-attributes.*— 39 fields, same tablecontexa.bridge.authorization.headers.*— 27 fields, same table
The tables are not duplicated because BridgeProperties.java references a single class from three locations — keeping the documentation single-sourced.
Delegation Session Keys
Properties under contexa.bridge.delegation.session, bound to Delegation.Session. When an external system stores agent-delegation context — agent ID, objective, allowed operations/resources, approval requirement, expiry — on a session-scoped user object, these keys define which attribute candidates to try and which keys to read.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.bridge.delegation.session.enabled | boolean | true | Enables session-based delegation extraction. |
contexa.bridge.delegation.session.attribute | String | "" (empty) | Explicit session attribute name carrying the user object. |
contexa.bridge.delegation.session.attribute-candidates | List<String> | [currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal] | Candidate attribute names tried in auto-discover mode. |
contexa.bridge.delegation.session.auto-discover | boolean | true | Whether to walk the candidate list automatically. (Note: Delegation.Session does not expose an object-type-name field.) |
contexa.bridge.delegation.session.principal-id-keys | List<String> | [userId, username, id, loginId, email] | Candidate keys used to extract the principal identifier. |
contexa.bridge.delegation.session.delegated-keys | List<String> | [delegated, delegationEnabled, agentDelegated] | Candidate keys used to extract the delegation-active flag. |
contexa.bridge.delegation.session.agent-id-keys | List<String> | [agentId, delegateAgentId] | Candidate keys used to extract the agent ID. |
contexa.bridge.delegation.session.objective-id-keys | List<String> | [objectiveId, taskPurpose, delegationObjectiveId] | Candidate keys used to extract the delegation objective ID. |
contexa.bridge.delegation.session.objective-family-keys | List<String> | [objectiveFamily, objectiveType, delegationObjectiveFamily] | Candidate keys used to extract the objective family / type. |
contexa.bridge.delegation.session.objective-summary-keys | List<String> | [objectiveSummary, taskSummary, delegationObjectiveSummary] | Candidate keys used to extract the objective summary. |
contexa.bridge.delegation.session.allowed-operations-keys | List<String> | [allowedOperations, delegatedOperations, permittedOperations] | Candidate keys used to extract the permitted operations list. |
contexa.bridge.delegation.session.allowed-resources-keys | List<String> | [allowedResources, delegatedResources, permittedResources] | Candidate keys used to extract the permitted resources list. |
contexa.bridge.delegation.session.approval-required-keys | List<String> | [approvalRequired, requiresApproval] | Candidate keys used to extract the approval-required flag. |
contexa.bridge.delegation.session.privileged-export-allowed-keys | List<String> | [privilegedExportAllowed, allowPrivilegedExport] | Candidate keys used to extract the privileged-export-allowed flag. |
contexa.bridge.delegation.session.containment-only-keys | List<String> | [containmentOnly, restrictedContainment] | Candidate keys used to extract the containment-only flag. |
contexa.bridge.delegation.session.expires-at-keys | List<String> | [expiresAt, delegationExpiresAt] | Candidate keys used to extract the delegation expiry instant. |
contexa.bridge.delegation.session.attribute-keys | List<String> | [delegated, agentId, objectiveId, objectiveFamily, objectiveSummary, allowedOperations, allowedResources, approvalRequired, privilegedExportAllowed, containmentOnly, expiresAt, organizationId, orgId, tenantId, department, team] | Additional attribute keys preserved in the delegation context (16 defaults). |
Delegation RequestAttributes / Headers
Delegation reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults match the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:
contexa.bridge.delegation.request-attributes.*— 39 fields, same tablecontexa.bridge.delegation.headers.*— 27 fields, same table
Security Kafka Properties
Properties under contexa.security.kafka, bound to SecurityKafkaProperties. Configures Kafka topic names for Contexa's security event pipeline.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.kafka.topic (TopicSettings) | |||
.authorization | String | security-authorization-events | Authorization-decision event topic. |
.authentication | String | auth-events | Authentication event topic. |
.incident | String | security-incident-events | Security-incident event topic. |
.threat | String | threat-indicators | Threat-indicators topic. |
.audit | String | security-audit-events | Audit-event topic. |
.general | String | security-events | General security-event topic. |
.dlq | String | security-events-dlq | Dead-letter queue topic for failed event processing. |
.soar-action | String | soar-action-events | SOAR action event topic. |
contexa.security.kafka.dlq (DlqSettings) | |||
.max-retries | int | 3 | Maximum DLQ processing retries. |
.retry-delay-ms | int | 5000 | Delay between retries in milliseconds. |
.alert-threshold | int | 10 | Alerting threshold for the number of DLQ messages. |
security:
kafka:
topic:
authorization: security-authorization-events
authentication: auth-events
incident: security-incident-events
threat: threat-indicators
audit: security-audit-events
general: security-events
dlq: security-events-dlq
soar-action: soar-action-events
dlq:
max-retries: 3
retry-delay-ms: 5000
alert-threshold: 10
Related: Zero Trust Security Reference | SOAR Automation Reference
OpenTelemetry Properties
Properties under contexa.opentelemetry, bound to OpenTelemetryProperties. Configures the OpenTelemetry integration for distributed tracing, metrics export, and observability.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.opentelemetry | |||
.enabled |
boolean |
true |
Enable OpenTelemetry trace and metric export |
.service-name |
String |
contexa-core |
Service name in trace spans and metric labels |
.exporter-endpoint |
String |
http://localhost:4317 |
OTLP exporter endpoint (gRPC; 4318 for HTTP) |
.sampling-probability |
double |
1.0 |
Sampling probability (0.0–1.0); lower in production |
contexa:
opentelemetry:
enabled: true
service-name: "my-application"
exporter-endpoint: "http://otel-collector.monitoring:4317"
sampling-probability: 0.1
Security Plane Properties
Properties under contexa.security.plane, bound to SecurityPlaneProperties. The class configures the distributed security-plane agent, Kafka topics, Redis relay settings, monitoring batches, deduplication windows, and the LLM executor pool used by asynchronous security analysis.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.plane.agent | |||
.name | String | SecurityPlaneAgent-1 | Agent instance name |
.auto-start | boolean | true | Auto-starts the agent on boot |
.organization-id | String | default-org | Organization identifier for distributed deployments |
.execution-mode | String | ASYNC | Agent execution mode |
.auto-approve-low-risk | boolean | false | Automatically approves low-risk decisions when enabled |
.event-timeout-ms | long | 30000 | Per-event processing timeout |
.max-deferred-retries | int | 3 | Deferred retry limit for agent processing |
contexa.security.plane.kafka | |||
.bootstrap-servers | String | localhost:9092 | Kafka bootstrap servers |
.group-id | String | security-plane-consumer | Kafka consumer group id |
.topics.contexa-security-events | String | contexa-security-events | Security event topic |
.topics.threat-indicators | String | threat-indicators | Threat indicator topic |
.topics.network-events | String | network-events | Network event topic |
.topics.auth-events | String | auth-events | Authentication event topic |
contexa.security.plane.monitor | |||
.queue-size | int | 10000 | Event queue capacity |
.batch-size | int | 8 | Monitoring batch size |
.flush-interval-ms | long | 500 | Batch flush interval |
.correlation-window-minutes | int | 10 | Correlation window size |
.dedup-window-minutes | int | 5 | Deduplication time window |
contexa.security.plane.notifier | |||
.batch-size | int | 10 | Notification batch size |
.async-enabled | boolean | true | Enable async notification dispatch |
.critical-threshold | double | 0.8 | Critical alert threshold |
contexa.security.plane.redis | |||
.batch-size | int | 50 | Redis publish batch size |
.cache.ttl-minutes | int | 60 | Redis relay cache TTL |
.channel.contexa-security-events | String | security:events | Redis security event channel |
.channel.threat-alerts | String | security:threats | Redis threat alert channel |
contexa.security.plane.llm-executor | |||
.core-pool-size | int | 2 | Core thread pool size for LLM analysis |
.max-pool-size | int | 2 | Maximum thread pool size for LLM analysis |
.queue-capacity | int | 50 | Queue capacity for pending LLM work |
contexa.security.plane.deduplication | |||
.enabled | boolean | true | Deduplication toggle |
.window-minutes | int | 5 | Deduplication window size |
.cache-size | int | 10000 | Deduplication cache size |
security:
plane:
agent:
name: SecurityPlaneAgent-1
auto-start: true
organization-id: default-org
execution-mode: ASYNC
auto-approve-low-risk: false
event-timeout-ms: 30000
max-deferred-retries: 3
llm-executor:
core-pool-size: 2
max-pool-size: 2
queue-capacity: 50
deduplication:
enabled: true
window-minutes: 5
cache-size: 10000
Related: Zero Trust Flow, SOAR Reference
Router Properties
Properties under contexa.security.router, bound to SecurityRouterProperties. Defines the score thresholds used when routing security events (SOAR automation / block / analysis confidence / pass-through).
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.router.threshold | |||
.soar | double | 0.9 | SOAR automated response threshold |
.block | double | 0.8 | Block decision threshold |
.analysis-confidence | double | 0.6 | Analysis result acceptance confidence |
.pass-through | double | 0.6 | Pass-through allowance threshold |
Event Properties
Properties under contexa.security.event, bound to SecurityEventProperties. Configures event publishing gates, the asynchronous executor pool, per-tier latency budgets, and the deduplication cache.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.event.publishing | |||
.enabled | boolean | true | Enable event publishing |
.exclude-uris | String | /actuator,/health,/metrics | Comma-separated URI prefixes excluded from publishing |
.anonymous.enabled | boolean | true | Enable event publishing for anonymous users |
contexa.security.event.executor | |||
.core-pool-size | int | cores × 2 | Core thread pool size for event processing |
.max-pool-size | int | cores × 4 | Maximum thread pool size |
.queue-capacity | int | 10000 | Pending event queue capacity |
contexa.security.event.tier | |||
.critical.max-latency-ms | int | 100 | Latency budget for critical events (ms) |
.contextual.max-latency-ms | int | 1000 | Latency budget for contextual events (ms) |
.general.max-latency-ms | int | 10000 | Latency budget for general events (ms) |
.general.sampling-rate | double | 0.1 | General event sampling rate |
contexa.security.event.deduplication | |||
.enabled | boolean | true | Enable deduplication |
.window-minutes | int | 5 | Deduplication window (minutes) |
.cache-size | int | 10000 | Deduplication cache size |
Cold-Path Properties
Properties under contexa.security.coldpath, bound to SecurityColdPathProperties. Defines per-layer baseline confidence values for the asynchronous LLM analysis path.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.coldpath.confidence | |||
.layer1-base | double | 0.5 | Base confidence for layer-1 analysis |
.layer2-base | double | 0.7 | Base confidence for layer-2 analysis |
Pipeline Properties
Properties under contexa.security.pipeline, bound to SecurityPipelineProperties. Configures the Redis · Kafka transport channels of the security event pipeline.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.pipeline.kafka | |||
.topic | String | contexa-security-events | Kafka topic the pipeline publishes to |
Note: contexa.security.pipeline.redis is an empty marker group. Actual Redis behavior is configured under contexa.security.plane.redis and security.zerotrust.redis.
Security Redis Properties
Properties under contexa.security.redis, bound to SecurityRedisProperties. Configures Redis pub/sub channel names, Redis stream keys, TTL, and memory thresholds for Contexa's security events.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.security.redis.channel (ChannelSettings) | |||
.authorization | String | security:authorization:events | Authorization-event pub/sub channel. |
.authentication | String | security:events | Authentication-event pub/sub channel. |
.incident | String | security:incidents | Incident pub/sub channel. |
.threat | String | security:threats | Threat pub/sub channel. |
.audit | String | security:audit:events | Audit pub/sub channel. |
.general | String | security:events | General pub/sub channel. |
contexa.security.redis.stream (StreamSettings) | |||
.authorization | String | security:stream:authorization | Authorization Redis stream key. |
.incident | String | security:stream:incident | Incident Redis stream key. |
.threat | String | security:stream:threat | Threat Redis stream key. |
.audit | String | security:stream:audit | Audit Redis stream key. |
.general | String | security:stream:general | General Redis stream key. |
.authentication | String | security:stream:authentication | Authentication Redis stream key. |
.maxlen | int | 10000 | Maximum entries per Redis stream (XADD MAXLEN). |
contexa.security.redis.ttl (TtlSettings) | |||
.minutes | int | 60 | Default Redis TTL for event data (minutes). |
contexa.security.redis.memory (MemorySettings) | |||
.max-mb | int | 1024 | Memory cap (MB) Contexa security events may consume in Redis. |
.warning-threshold | double | 0.8 | Warning threshold for memory usage (0.0-1.0). |
.critical-threshold | double | 0.9 | Critical threshold for memory usage (0.0-1.0). |
Scheduler Lock Properties
Properties under contexa.scheduler.lock, bound to ContexaSchedulerLockProperties (record). Controls the ShedLock auto-configuration that ensures single execution of @Scheduled + @SchedulerLock methods across multiple JVMs. Single-instance deployments may keep the defaults — locks always succeed and the overhead is negligible.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.scheduler.lock | |||
.enabled | boolean | true | Whether the ShedLock auto-configuration registers a LockProvider bean. Setting this to false disables every @SchedulerLock; each @Scheduled method then reverts to single-JVM-only exclusivity. |
.default-lock-at-most-for | Duration | 5m | Fallback upper bound applied when a specific scheduler omits lockAtMostFor. Prevents stuck locks from surviving indefinitely after a JVM crash. |
.use-database-time | boolean | true | When true, the JdbcTemplateLockProvider uses now() from the database engine so every instance sees the same clock. When false, it falls back to the JVM clock (useful for local H2 tests with a misaligned timezone). |
DataSource Properties
Properties under contexa.datasource, bound to ContexaDataSourceProperties. Defines the database connection Contexa uses for its own metadata (policies, users, audit log, etc.). Can be isolated from the host application's spring.datasource.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.datasource | |||
.url | String | null | JDBC URL. When empty, the host application's spring.datasource.url may be reused depending on the isolation policy. |
.username | String | null | Database username. |
.password | String | null | Database password. |
.driver-class-name | String | null | JDBC driver class name. When empty, derived from the URL automatically. |
contexa.datasource.isolation (Isolation) | |||
.allow-shared-application-datasource | boolean | false | Allows reusing the host application's datasource. Default is isolation (separate connection pool). |
.shared-application-datasource-risk-accepted | boolean | false | Operator's explicit acknowledgment of the risk of using a shared datasource. |
.contexa-owned-application | boolean | false | Indicates that the application itself is operated by Contexa (bypasses isolation validation). |
Full Configuration Example
A production-ready application.yml combining all infrastructure properties for a distributed deployment with Redis, Kafka, and an external OpenTelemetry collector.
# Infrastructure configuration for Contexa distributed deployment
contexa:
enabled: true
infrastructure:
mode: DISTRIBUTED
redis:
enabled: true
kafka:
enabled: true
observability:
enabled: true
open-telemetry-enabled: true
# Multi-tier caching
cache:
type: HYBRID
local:
max-size: 5000
default-ttl-seconds: 120
redis:
default-ttl-seconds: 600
key-prefix: "contexa:cache:"
pubsub:
enabled: true
channel: "contexa:cache:invalidation"
domains:
users:
local-ttl-seconds: 1800
redis-ttl-seconds: 3600
roles:
local-ttl-seconds: 7200
redis-ttl-seconds: 14400
permissions:
local-ttl-seconds: 14400
redis-ttl-seconds: 28800
groups:
local-ttl-seconds: 7200
redis-ttl-seconds: 14400
policies:
local-ttl-seconds: 15
redis-ttl-seconds: 120
soar:
local-ttl-seconds: 900
redis-ttl-seconds: 900
hcad:
local-ttl-seconds: 86400
redis-ttl-seconds: 86400
# OpenTelemetry
opentelemetry:
enabled: true
service-name: "contexa-production"
exporter-endpoint: "http://otel-collector.monitoring:4317"
sampling-probability: 0.1
# Security Infrastructure
security:
kafka:
topic:
dlq: "security-events-dlq"
redis:
ttl:
minutes: 60
memory:
max-mb: 1024
plane:
agent:
organization-id: "default-org"
execution-mode: "ASYNC"
llm-executor:
core-pool-size: 2
max-pool-size: 2
deduplication:
enabled: true
window-minutes: 5
cache-size: 10000