Package io.helidon.security

Interface SecurityContext

public interface SecurityContext

Security context to retrieve security information about current user, either injected or obtained from Security.contextBuilder(String) and to handle programmatic security.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static class	SecurityContext.Builder	Fluent API builder for SecurityContext.

Field Summary

Fields

Modifier and Type	Field	Description
static Subject	ANONYMOUS	Anonymous subject.
static Principal	ANONYMOUS_PRINCIPAL	Anonymous user principal.

Method Summary

Modifier and Type	Method	Description
SecurityClientBuilder<AuthenticationResponse>	atnClientBuilder()	Authenticator client builder to use for programmatic authentication.
boolean	atzChecked()	Return true if either of authorization methods (authorize(Object...) or atzClientBuilder() was called).
SecurityClientBuilder<AuthorizationResponse>	atzClientBuilder()	Authorization client builder to use for programmatic authorization.
void	audit(AuditEvent event)	Audit a security event.
AuthenticationResponse	authenticate()	Authenticate current request (based on current SecurityEnvironment and EndpointConfig.
AuthorizationResponse	authorize(java.lang.Object... resource)	Authorize access to a resource (or more resources) based on current environment and endpoint configuration.
EndpointConfig	getEndpointConfig()	Current endpoint configuration.
SecurityEnvironment	getEnv()	Current SecurityEnvironment.
java.util.concurrent.ExecutorService	getExecutorService()	Executor service of the security module.
java.lang.String	getId()	Id of this context instance.
SecurityTime	getServerTime()	Get time instance, that can be used to obtain current time consistent with the security framework.
java.util.Optional<Subject>	getService()	Returns subject of current context (caller) service or client identity.
default java.lang.String	getServiceName()	A helper method to get service name if authenticated.
default java.util.Optional<Principal>	getServicePrincipal()	Returns service principal if service is authenticated.
io.opentracing.Tracer	getTracer()	Provides the tracer to create new spans.
io.opentracing.SpanContext	getTracingSpan()	Provides the span for tracing.
java.util.Optional<Subject>	getUser()	Returns subject of current context (caller) user.
default java.lang.String	getUserName()	A helper method to get user name if authenticated.
default java.util.Optional<Principal>	getUserPrincipal()	Returns user principal if user is authenticated.
boolean	isAuthenticated()	Return true if the user is authenticated.
boolean	isUserInRole(java.lang.String role)	Check if user is in specified role if supported by global authorization provider.
boolean	isUserInRole(java.lang.String role, java.lang.String authorizerName)	Check if user is in specified role if supported by global or specific authorization provider.
void	logout()	Logout user, clear current security context.
OutboundSecurityClientBuilder	outboundClientBuilder()	Outbound security client builder for programmatic outbound security used for identity propagation, identity mapping, encryption of outbound calls etc.
void	runAs(Subject subject, java.lang.Runnable runnable)	Executes provided code under provided subject.
void	runAs(java.lang.String role, java.lang.Runnable runnable)	Execute provided code as current user with an additional explicit role added.
SecurityRequestBuilder	securityRequestBuilder()	A builder to build a SecurityRequest.
SecurityRequestBuilder	securityRequestBuilder(SecurityEnvironment environment)	A builder to build a SecurityRequest with a specific environment.
default void	setEndpointConfig(Builder<EndpointConfig> epBuilder)	Shortcut method to set EndpointConfig using a builder rather than built instance.
void	setEndpointConfig(EndpointConfig ec)	Set endpoint configuration to use for subsequent security requests.
default void	setEnv(Builder<SecurityEnvironment> envBuilder)	Set a new security environment to be used int this context.
void	setEnv(SecurityEnvironment env)	Set a new security environment to be used in this context.

Field Detail

ANONYMOUS_PRINCIPAL

static final Principal ANONYMOUS_PRINCIPAL

Anonymous user principal. This is the user principal used when no user is authenticated (e.g. when a service is authenticated or when fully ANONYMOUS.

ANONYMOUS

static final Subject ANONYMOUS

Anonymous subject. This is the subject you get when not authenticated and a Subject is required..

Method Detail

securityRequestBuilder

SecurityRequestBuilder securityRequestBuilder()

A builder to build a SecurityRequest.

Returns:

security request builder

securityRequestBuilder

SecurityRequestBuilder securityRequestBuilder(SecurityEnvironment environment)

A builder to build a SecurityRequest with a specific environment.

Parameters:

environment - environment to use for this request

Returns:

security request builder

atnClientBuilder

SecurityClientBuilder<AuthenticationResponse> atnClientBuilder()

Authenticator client builder to use for programmatic authentication.

Returns:

a builder for SecurityClient instance providing AuthenticationResponse

authenticate

AuthenticationResponse authenticate()

Authenticate current request (based on current SecurityEnvironment and EndpointConfig.

Returns:

response of authentication operation

atzClientBuilder

SecurityClientBuilder<AuthorizationResponse> atzClientBuilder()

Authorization client builder to use for programmatic authorization. Will use existing environment.

Returns:

a builder for SecurityClient instance providing AuthorizationResponse

outboundClientBuilder

OutboundSecurityClientBuilder outboundClientBuilder()

Outbound security client builder for programmatic outbound security used for identity propagation, identity mapping, encryption of outbound calls etc.

Returns:

a builder for SecurityClient instance providing OutboundSecurityResponse

authorize

AuthorizationResponse authorize(java.lang.Object... resource)

Authorize access to a resource (or more resources) based on current environment and endpoint configuration.

Parameters:

resource - resources to authorize access to (may be empty)

Returns:

response of authorization

isAuthenticated

boolean isAuthenticated()

Return true if the user is authenticated. This only cares about USER! not about service. To check if service is authenticated, use getService() and check the resulting optional.

Returns:

true for authenticated user, false otherwise (e.g. no subject or ANONYMOUS)

logout

void logout()

Logout user, clear current security context.

isUserInRole

boolean isUserInRole(java.lang.String role,
                     java.lang.String authorizerName)

Check if user is in specified role if supported by global or specific authorization provider.

Parameters:

role - Role to check

authorizerName - explicit authorization provider class name to use (or config property pointing to class name)

Returns:

true if current user is in specified role and current authorization provider supports roles, false otherwise

getExecutorService

java.util.concurrent.ExecutorService getExecutorService()

Executor service of the security module.

Returns:

executor service to use to execute asynchronous tasks related to security

isUserInRole

boolean isUserInRole(java.lang.String role)

Check if user is in specified role if supported by global authorization provider. This method expects global authorization provider is in use. If you explicitly use a custom provider, use isUserInRole(String, String) instead.

Parameters:

role - Role to check

Returns:

true if current user is in specified role and current authorization provider supports roles, false otherwise

audit

void audit(AuditEvent event)

Audit a security event. This allows custom auditing events from applications. Note that main security events are already audited (e.g. authentication, authorization, identity propagation and various runAs events).

Parameters:

event - AuditEvent to store

getService

java.util.Optional<Subject> getService()

Returns subject of current context (caller) service or client identity.

Returns:

current context service (client) subject. If there is no service/client, returns empty.

getServicePrincipal

default java.util.Optional<Principal> getServicePrincipal()

Returns service principal if service is authenticated.

Returns:

current context service principal, or empty if none authenticated

getServiceName

default java.lang.String getServiceName()

A helper method to get service name if authenticated.

Returns:

name of currently authenticated service or null.

getUser

java.util.Optional<Subject> getUser()

Returns subject of current context (caller) user.

Returns:

current context user subject. If there is no authenticated user, returns empty.

getUserPrincipal

default java.util.Optional<Principal> getUserPrincipal()

Returns user principal if user is authenticated.

Returns:

current context user principal, or empty if none authenticated

getUserName

default java.lang.String getUserName()

A helper method to get user name if authenticated.

Returns:

name of currently authenticated user or null.

runAs

void runAs(Subject subject,
           java.lang.Runnable runnable)

Executes provided code under provided subject.

Parameters:

subject - to use for execution. Use ANONYMOUS for anon.

runnable - to execute.

runAs

void runAs(java.lang.String role,
           java.lang.Runnable runnable)

Execute provided code as current user with an additional explicit role added.

Parameters:

role - name of role

runnable - to execute

getTracingSpan

io.opentracing.SpanContext getTracingSpan()

Provides the span for tracing. This is the span of current context (e.g. parent to security).

Returns:

Open tracing Span context of current security context

getTracer

io.opentracing.Tracer getTracer()

Provides the tracer to create new spans. If you use this, we can control whether tracing is enabled or disabled as part of security. If you use GlobalTracer.get() you will get around this.

Returns:

Tracer to build custom Spans. Use in combination with getTracingSpan() to create a nice tree of spans

getId

java.lang.String getId()

Id of this context instance. Created as security instance id : context id (depends on container integration or id provided by developer).

Returns:

id uniquely identifying this context

getServerTime

SecurityTime getServerTime()

Get time instance, that can be used to obtain current time consistent with the security framework. This time may be shifted against real time, may have a different time zone, explicit values (for testing). To obtain the decisive time for current request, please use SecurityEnvironment.

Returns:

time instance to obtain current time

See Also:

SecurityTime.get()

getEnv

SecurityEnvironment getEnv()

Current SecurityEnvironment. For web, this probably won't change, as the environment is valid for whole request. For other frameworks or standalone applications, this may change over time.

Returns:

environment of current security context (e.g. to use for ABAC)

setEnv

default void setEnv(Builder<SecurityEnvironment> envBuilder)

Set a new security environment to be used int this context.

Parameters:

envBuilder - builder to build environment from

See Also:

SecurityEnvironment.derive(), SecurityEnvironment.builder(SecurityTime)

setEnv

void setEnv(SecurityEnvironment env)

Set a new security environment to be used in this context.

Parameters:

env - environment to use for further security operations

See Also:

SecurityEnvironment.derive()

getEndpointConfig

EndpointConfig getEndpointConfig()

Current endpoint configuration.

Returns:

configuration specific to current endpoint (annotations, config, custom object, attributes)

setEndpointConfig

void setEndpointConfig(EndpointConfig ec)

Set endpoint configuration to use for subsequent security requests.

Parameters:

ec - configuration specific to current endpoint (annotations, config, custom object, attributes)

setEndpointConfig

default void setEndpointConfig(Builder<EndpointConfig> epBuilder)

Shortcut method to set EndpointConfig using a builder rather than built instance. Shortcut to setEndpointConfig(EndpointConfig)

Parameters:

epBuilder - builder of an endpoint configuration

atzChecked

boolean atzChecked()

Return true if either of authorization methods (authorize(Object...) or atzClientBuilder() was called). This is a safe-guard for attribute based authorization that is using annotations and requires object to be passed for evaluation.

Returns:

true if authorization was checked, false otherwise