WebSecurity (Helidon 0.10.5 API)

java.lang.Object
- io.helidon.security.webserver.WebSecurity

All Implemented Interfaces:

Service
```
public final class WebSecurity
extends java.lang.Object
implements Service
```
Integration of security into Web Server.
Methods that start with "from" are to register WebSecurity with WebServer - to create SecurityContext for requests:
Example:
```
 // Web server routing builder - this is our integration point
 Routing routing = Routing.builder()
 // register the WebSecurity to create context (shared by all routes)
 .register(WebSecurity.from(security))
 
```
Other methods are to create security enforcement points (gates) for routes (e.g. you are expected to use them for a get, post etc. routes on specific path). These methods are starting points that provide an instance of SecurityHandler that has finer grained methods to control the gate behavior.
Note that if any gate is configured, auditing will be enabled by default except for GET and HEAD methods - if you want to audit any method, invoke audit() to create a gate that will always audit the route. If you want to create a gate and not audit it, use SecurityHandler.skipAudit() on the returned instance.
- secure() - authentication and authorization
- rolesAllowed(String...) - role based access control (implies authentication and authorization)
- authenticate() - authentication only
- authorize() - authorization only
- allowAnonymous() - authentication optional
- audit() - audit all requests (including GET and HEAD)
- authenticator(String) - use explicit authenticator (named - as configured in config or through builder)
- authorizer(String) - use explicit authorizer (named - as configured in config or through builder)
- enforce() - use defaults (e.g. no authentication, authorization, audit calls except for GET and HEAD); this also give access to more fine-grained methods of SecurityHandler
Example:
```
 // continue from example above...
 // create a gate for method GET: authenticate all paths under /user and require role "user" for authorization
 .get("/user[/{*}]", WebSecurity.rolesAllowed("user"))
 
```

Field Summary

Fields
Modifier and Type Field and Description

static java.lang.String CONTEXT_ADD_HEADERS
Security can accept additional headers to be added to security request.

Fields
Modifier and Type	Field and Description
`static java.lang.String`	`CONTEXT_ADD_HEADERS` Security can accept additional headers to be added to security request.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`static SecurityHandler`	`allowAnonymous()` If called, authentication failure will not abort request and will continue as anonymous (defaults to false).
`static SecurityHandler`	`audit()` Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise.
`static SecurityHandler`	`authenticate()` If called, request will go through authentication process - defaults to false (even if authorize is true).
`static SecurityHandler`	`authenticator(java.lang.String explicitAuthenticator)` Use a named authenticator (as supported by security - if not defined, default authenticator is used).
`static SecurityHandler`	`authorize()` Enable authorization for this route.
`static SecurityHandler`	`authorizer(java.lang.String explicitAuthorizer)` Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).
`static SecurityHandler`	`enforce()` Return a default instance to create a default enforcement point (or modify the result further).
`static WebSecurity`	`from(Config config)` Create a consumer of routing config to be `registered` with web server routing to process security requests.
`static WebSecurity`	`from(Security security)` Create a consumer of routing config to be `registered` with web server routing to process security requests.
`static WebSecurity`	`from(Security security, Config config)` Create a consumer of routing config to be `registered` with web server routing to process security requests.
`static SecurityHandler`	`rolesAllowed(java.lang.String... roles)` An array of allowed roles for this path - must have a security provider supporting roles.
`static SecurityHandler`	`secure()` Secure access using authentication and authorization.
`WebSecurity`	`securityDefaults(SecurityHandler defaultHandler)` Create a new web security instance using the default handler as base defaults for all handlers used.
`void`	`update(Routing.Rules routing)` Updates `Routing.Rules` with `handlers` representing this service.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - CONTEXT_ADD_HEADERS
```
public static final java.lang.String CONTEXT_ADD_HEADERS
```
    Security can accept additional headers to be added to security request. This will be used to obtain multivalue string map (a map of string to list of strings) from context (appropriate to the integration).
    
    See Also:
    
    Constant Field Values
- Method Detail
  - from
```
public static WebSecurity from(Security security)
```
    Create a consumer of routing config to be registered with web server routing to process security requests. This method is to be used together with other routing methods to protect web resources programmatically. Example:
```
 .get("/user[/{*}]", WebSecurity.authenticate()
 .rolesAllowed("user"))
 
```
    Parameters:
    
    security - initialized security
    
    Returns:
    
    routing config consumer
  - from
```
public static WebSecurity from(Config config)
```
    Create a consumer of routing config to be registered with web server routing to process security requests. This method configures security and web server integration from a config instance
    
    Parameters:
    
    config - Config instance to load security and web server integration from configuration
    
    Returns:
    
    routing config consumer
  - from
```
public static WebSecurity from(Security security,
                               Config config)
```
    Create a consumer of routing config to be registered with web server routing to process security requests. This method expects initialized security and creates web server integration from a config instance
    
    Parameters:
    
    security - Security instance to use
    
    config - Config instance to load security and web server integration from configuration
    
    Returns:
    
    routing config consumer
  - secure
```
public static SecurityHandler secure()
```
    Secure access using authentication and authorization. Auditing is enabled by default for methods modifying content. When using RBAC (role based access control), just use rolesAllowed(String...). If you use a security provider, that requires additional data, use SecurityHandler.customObject(Object).
    Behavior:
    - Authentication: enabled and required
    - Authorization: enabled if provider configured
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Returns:
    
    SecurityHandler instance configured with authentication and authorization
  - authenticate
```
public static SecurityHandler authenticate()
```
    If called, request will go through authentication process - defaults to false (even if authorize is true).
    Behavior:
    - Authentication: enabled and required
    - Authorization: not modified (default: disabled)
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Returns:
    
    SecurityHandler instance
  - audit
```
public static SecurityHandler audit()
```
    Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise. Request is audited with event type "request".
    Behavior:
    - Authentication: not modified (default: disabled)
    - Authorization: not modified (default: disabled)
    - Audit: enabled for any method this gate is registered on
    Returns:
    
    SecurityHandler instance
  - authenticator
```
public static SecurityHandler authenticator(java.lang.String explicitAuthenticator)
```
    Use a named authenticator (as supported by security - if not defined, default authenticator is used).
    Behavior:
    - Authentication: enabled and required
    - Authorization: not modified (default: disabled)
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Parameters:
    
    explicitAuthenticator - name of authenticator as configured in Security
    
    Returns:
    
    SecurityHandler instance
  - authorizer
```
public static SecurityHandler authorizer(java.lang.String explicitAuthorizer)
```
    Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).
    Behavior:
    - Authentication: enabled and required
    - Authorization: enabled with explicit provider
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Parameters:
    
    explicitAuthorizer - name of authorizer as configured in Security
    
    Returns:
    
    SecurityHandler instance
  - rolesAllowed
```
public static SecurityHandler rolesAllowed(java.lang.String... roles)
```
    An array of allowed roles for this path - must have a security provider supporting roles.
    Behavior:
    - Authentication: enabled and required
    - Authorization: enabled
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Parameters:
    
    roles - if subject is any of these roles, allow access
    
    Returns:
    
    SecurityHandler instance
  - allowAnonymous
```
public static SecurityHandler allowAnonymous()
```
    If called, authentication failure will not abort request and will continue as anonymous (defaults to false).
    Behavior:
    - Authentication: enabled and optional
    - Authorization: not modified (default: disabled)
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Returns:
    
    SecurityHandler instance
  - authorize
```
public static SecurityHandler authorize()
```
    Enable authorization for this route.
    Behavior:
    - Authentication: enabled and required
    - Authorization: enabled if provider is present
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Returns:
    
    SecurityHandler instance
  - enforce
```
public static SecurityHandler enforce()
```
    Return a default instance to create a default enforcement point (or modify the result further).
    Behavior:
    - Authentication: not modified (default: disabled)
    - Authorization: not modified (default: disabled)
    - Audit: not modified (default: enabled except for GET and HEAD methods)
    Returns:
    
    SecurityHandler instance
  - securityDefaults
```
public WebSecurity securityDefaults(SecurityHandler defaultHandler)
```
    Create a new web security instance using the default handler as base defaults for all handlers used. If handlers are loaded from config, than this is the least significant value.
    
    Parameters:
    
    defaultHandler - if a security handler is configured for a route, it will take its defaults from this handler
    
    Returns:
    
    new instance of web security with the handler default
  - update
```
public void update(Routing.Rules routing)
```
    Description copied from interface: Service
    
    Updates Routing.Rules with handlers representing this service.
    
    Specified by:
    
    update in interface Service
    
    Parameters:
    
    routing - a routing rules to update

Class WebSecurity

Field Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

CONTEXT_ADD_HEADERS

Method Detail

from

from

from

secure

authenticate

audit

authenticator

authorizer

rolesAllowed

allowAnonymous

authorize

enforce

securityDefaults

update