AI Security Activation & Bootstrapping
Describes the inner workings of how @EnableAISecurity, SecurityMode, and AiSecurityImportSelector dynamically load and bootstrap the Contexa AI-Native Zero Trust infrastructure in legacy Spring Boot applications.
The @EnableAISecurity Annotation
@EnableAISecurity is the core annotation designed for seamless integration with legacy systems. Placing this annotation on a Spring Boot main configuration class (typically annotated with @SpringBootApplication) activates the entire Contexa AI security infrastructure.
Example Usage
@SpringBootApplication
@EnableAISecurity(
mode = SecurityMode.SANDBOX,
authObjectLocation = AuthObjectLocation.AUTO
)
public class LegacyApplication {
public static void main(String[] args) {
SpringApplication.run(LegacyApplication.class, args);
}
}
Annotation Attribute Reference
| Attribute | Type | Default Value | Description |
|---|---|---|---|
mode |
SecurityMode |
SecurityMode.SANDBOX |
Determines the operational enforcement mode of the AI security framework. |
authObjectLocation |
AuthObjectLocation |
AuthObjectLocation.AUTO |
Provides a hint for extracting legacy authenticated objects. |
authObjectAttribute |
String |
"" |
The session or request attribute key used for authentication handoff. |
authObjectType |
Class<?> |
Object.class |
Type hint for reflective extraction of the legacy authentication object. |
SecurityMode Operation
To support incremental migration and safe canary deployments, Contexa supports two distinct enforcement modes:
SANDBOX(Sandbox Mode): The default mode for legacy integration. Rather than directly enforcing actions like block redirection or MFA challenges on client requests, it logs decisions to audit records. Internally,AiSecurityConfigurationbinds the filter chain withanyRequest().permitAll()for all general client paths (excluding the/contexa/admin/**admin console path), running background threat detection safely without impacting the host application's existing authentication or authorization logic.FULL(Full Protection Mode): Activates active Zero Trust enforcement.AiSecurityConfigurationenforcesanyRequest().access(customDynamicAuthorizationManager)for all incoming requests. Any detected anomaly or security violation immediately triggers real-time response actions, such as immediate redirection to blocked status pages or enforcing strong MFA verification step-ups (Step-up MFA) at runtime.
AiSecurityImportSelector and Dynamic Wiring
Contexa uses AiSecurityImportSelector to bootstrap its configuration dynamically without requiring compile-time classpath coupling.
When the Spring application starts, the container parses the @Import(AiSecurityImportSelector.class) metadata on @EnableAISecurity. The selector performs the following steps:
- Reads annotation attributes (such as
mode,authObjectLocation) from the target configuration class. - Maps and binds these values to **System Properties** as shown in the table below, distributing them across the runtime context.
- Returns the class name of the target configuration in
contexa-autoconfigure:io.contexa.autoconfigure.ai.AiSecurityConfiguration, triggering dynamic bean provisioning.
System Properties Bindings
| System Property Key | Source Attribute | Description |
|---|---|---|
contexa.ai.security.mode |
mode |
Controls the overall enforcement level of the AI security framework. |
contexa.ai.security.auth-object.location |
authObjectLocation |
Hint identifying where to retrieve the legacy authentication artifact. |
contexa.ai.security.auth-object.attribute |
authObjectAttribute |
Name of the specific attribute key used in the handoff. |
contexa.ai.security.auth-object.type |
authObjectType |
Fully qualified class name of the target extraction type. |
Authenticated Object Locations (AuthObjectLocation)
The AuthObjectLocation enum tells the framework where to extract legacy session/user contexts from:
AUTO: The default setting. The framework sequentially scans the activeHttpSessionstore →HttpServletRequestattributes → HTTP headers to locate and extract legacy authentication objects.SESSION: Retrieves authentication details from the activeHttpSessionvia the designated attribute key.REQUEST_ATTRIBUTE: Retrieves details directly from theHttpServletRequestattributes.HEADER: Extracts values from specific incoming HTTP headers.