Package io.helidon.security.integration.webserver

Class SecurityHandler

java.lang.Object

io.helidon.security.integration.webserver.SecurityHandler

All Implemented Interfaces:

Handler, BiConsumer<ServerRequest,ServerResponse>

public final class SecurityHandler
extends Object
implements Handler

Handles security for web server. This handler is registered either by hand on router config, or automatically from configuration when integration done through WebSecurity.create(Config) or WebSecurity.create(Security, Config).

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SecurityHandler.QueryParamHandler Handler of query parameters - extracts them and stores them in a security header, so security can access them.

Nested classes/interfaces inherited from interface io.helidon.webserver.Handler

Handler.EntityHandler<T>

Method Summary

Modifier and Type	Method and Description
void	accept(ServerRequest req, ServerResponse res) Handles request and response usually called from the Routing.
SecurityHandler	audit() Audit this request for any method.
SecurityHandler	auditEventType(String eventType) Override for event-type, defaults to .
SecurityHandler	auditMessageFormat(String messageFormat) Override for audit message format, defaults to .
SecurityHandler	authenticate() If called, request will go through authentication process - (authentication is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
SecurityHandler	authenticationOptional() If called, authentication failure will not abort request and will continue as anonymous (authentication is not optional by default).
SecurityHandler	authenticator(String explicitAuthenticator) Use a named authenticator (as supported by security - if not defined, default authenticator is used).
SecurityHandler	authorize() If called, request will go through authorization process - (authorization is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
SecurityHandler	authorizer(String explicitAuthorizer) Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).
SecurityHandler	customObject(Object object) Register a custom object for security request(s).
SecurityHandler	queryParam(String queryParamName, TokenHandler headerHandler) Add a query parameter extraction configuration.
List<SecurityHandler.QueryParamHandler>	queryParamHandlers() List of query parameter handlers.
SecurityHandler	rolesAllowed(String... roles) An array of allowed roles for this path - must have a security provider supporting roles (either authentication or authorization provider).
SecurityHandler	skipAudit() Disable auditing of this request.
SecurityHandler	skipAuthentication() If called, request will NOT go through authentication process.
SecurityHandler	skipAuthorization() Skip authorization for this route.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.helidon.webserver.Handler

create, create

Methods inherited from interface java.util.function.BiConsumer

andThen

Method Detail

accept

public void accept(ServerRequest req,
                   ServerResponse res)

Description copied from interface: Handler

Handles request and response usually called from the Routing.

Specified by:

accept in interface Handler

Specified by:

accept in interface BiConsumer<ServerRequest,ServerResponse>

Parameters:

req - an HTTP server request.

res - an HTTP server response.

queryParamHandlers

public List<SecurityHandler.QueryParamHandler> queryParamHandlers()

List of query parameter handlers.

Returns:

list of handlers

authenticator

public SecurityHandler authenticator(String explicitAuthenticator)

Use a named authenticator (as supported by security - if not defined, default authenticator is used). Will enable authentication.

Parameters:

explicitAuthenticator - name of authenticator as configured in Security

Returns:

new handler instance with configuration of this instance updated with this method

authorizer

public SecurityHandler authorizer(String explicitAuthorizer)

Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted). Will enable authorization.

Parameters:

explicitAuthorizer - name of authorizer as configured in Security

Returns:

new handler instance with configuration of this instance updated with this method

rolesAllowed

public SecurityHandler rolesAllowed(String... roles)

An array of allowed roles for this path - must have a security provider supporting roles (either authentication or authorization provider). This method enables authentication and authorization (you can disable them again by calling skipAuthorization() and skipAuthentication() if needed).

Parameters:

roles - if subject is any of these roles, allow access

Returns:

new handler instance with configuration of this instance updated with this method

authenticationOptional

public SecurityHandler authenticationOptional()

If called, authentication failure will not abort request and will continue as anonymous (authentication is not optional by default). Will enable authentication.

Returns:

new handler instance with configuration of this instance updated with this method

authenticate

public SecurityHandler authenticate()

If called, request will go through authentication process - (authentication is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).

Returns:

new handler instance with configuration of this instance updated with this method

skipAuthentication

public SecurityHandler skipAuthentication()

If called, request will NOT go through authentication process. Use this when another method implies authentication (such as rolesAllowed(String...)) and yet it is not desired (e.g. everything is handled by authorization).

Returns:

new handler instance with configuration of this instance updated with this method

customObject

public SecurityHandler customObject(Object object)

Register a custom object for security request(s). This creates a hard dependency on a specific security provider, so use with care.

Parameters:

object - An object expected by security provider

Returns:

new handler instance with configuration of this instance updated with this method

auditEventType

public SecurityHandler auditEventType(String eventType)

Override for event-type, defaults to .

Parameters:

eventType - audit event type to use

Returns:

new handler instance with configuration of this instance updated with this method

auditMessageFormat

public SecurityHandler auditMessageFormat(String messageFormat)

Override for audit message format, defaults to .

Parameters:

messageFormat - audit message format to use

Returns:

new handler instance with configuration of this instance updated with this method

authorize

public SecurityHandler authorize()

If called, request will go through authorization process - (authorization is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).

Returns:

new handler instance with configuration of this instance updated with this method

skipAuthorization

public SecurityHandler skipAuthorization()

Skip authorization for this route. Use this when authorization is implied by another method on this class (e.g. rolesAllowed(String...) and you want to explicitly forbid it.

Returns:

new handler instance with configuration of this instance updated with this method

audit

public SecurityHandler audit()

Audit this request for any method. Request is audited with event type DEFAULT_AUDIT_EVENT_TYPE.

By default audit is enabled as follows (based on HTTP methods):

• GET, HEAD - not audited
• PUT, POST, DELETE - audited
• any other method (e.g. custom methods) - audited

Calling this method will override the default setting and audit any method this handler is registered for.

Returns:

new handler instance with configuration of this instance updated with this method

skipAudit

public SecurityHandler skipAudit()

Disable auditing of this request. Will override defaults and disable auditing for all methods this handler is registered for.

By default audit is enabled as follows (based on HTTP methods):

• GET, HEAD - not audited
• PUT, POST, DELETE - audited
• any other method (e.g. custom methods) - audited

Returns:

new handler instance with configuration of this instance updated with this method

queryParam

public SecurityHandler queryParam(String queryParamName,
                                  TokenHandler headerHandler)

Add a query parameter extraction configuration.

Parameters:

queryParamName - name of a query parameter to extract

headerHandler - handler to extract it and store it in a header field

Returns:

new handler instance