Module io.helidon.webserver.security

Package io.helidon.webserver.security

Class SecurityFeature

java.lang.Object

io.helidon.webserver.security.SecurityFeature

All Implemented Interfaces:

io.helidon.builder.api.RuntimeType.Api<SecurityFeatureConfig>, io.helidon.common.config.NamedService, ServerFeature

public class SecurityFeature
extends Object
implements ServerFeature, io.helidon.builder.api.RuntimeType.Api<SecurityFeatureConfig>

Server feature for security, to be registered with WebServerConfig.BuilderBase.addFeature(io.helidon.webserver.spi.ServerFeature).

This feature adds a filter to register SecurityContext in request Context, and registers HttpRouting.Builder.security(io.helidon.webserver.http.HttpSecurity). If configured, it also adds protection points to endpoints.

Nested Class Summary

Nested classes/interfaces inherited from interface io.helidon.webserver.spi.ServerFeature

ServerFeature.RoutingBuilders, ServerFeature.ServerFeatureContext, ServerFeature.SocketBuilders

Method Summary

Modifier and Type	Method	Description
static SecurityHandler	allowAnonymous()	If called, authentication failure will not abort request and will continue as anonymous (defaults to false).
static SecurityHandler	audit()	Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise.
static SecurityHandler	authenticate()	If called, request will go through authentication process - defaults to false (even if authorize is true).
static SecurityHandler	authenticator(String explicitAuthenticator)	Use a named authenticator (as supported by security - if not defined, default authenticator is used).
static SecurityHandler	authorize()	Enable authorization for this route.
static SecurityHandler	authorizer(String explicitAuthorizer)	Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).
static SecurityFeatureConfig.Builder	builder()	Fluent API builder to set up an instance.
static SecurityFeature	create(SecurityFeatureConfig config)	Create a new instance from its configuration.
static SecurityFeature	create(Consumer<SecurityFeatureConfig.Builder> builderConsumer)	Create a new instance customizing its configuration.
static SecurityHandler	enforce()	Return a default instance to create a default enforcement point (or modify the result further).
String	name()
SecurityFeatureConfig	prototype()
static SecurityHandler	rolesAllowed(String... roles)	An array of allowed roles for this path - must have a security provider supporting roles.
static SecurityHandler	secure()	Secure access using authentication and authorization.
void	setup(ServerFeature.ServerFeatureContext featureContext)
String	type()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

builder

public static SecurityFeatureConfig.Builder builder()

Fluent API builder to set up an instance.

Returns:

a new builder

create

public static SecurityFeature create(SecurityFeatureConfig config)

Create a new instance from its configuration.

Parameters:

config - configuration

Returns:

a new feature

create

public static SecurityFeature create(Consumer<SecurityFeatureConfig.Builder> builderConsumer)

Create a new instance customizing its configuration.

Parameters:

builderConsumer - consumer of configuration

Returns:

a new feature

secure

public static SecurityHandler secure()

Secure access using authentication and authorization. Auditing is enabled by default for methods modifying content. When using RBAC (role based access control), just use rolesAllowed(String...). If you use a security provider, that requires additional data, use SecurityHandler.customObject(Object).

Behavior:

• Authentication: enabled and required
• Authorization: enabled if provider configured
• Audit: not modified (default: enabled except for GET and HEAD methods)

Returns:

SecurityHandler instance configured with authentication and authorization

authenticate

public static SecurityHandler authenticate()

If called, request will go through authentication process - defaults to false (even if authorize is true).

Behavior:

• Authentication: enabled and required
• Authorization: not modified (default: disabled)
• Audit: not modified (default: enabled except for GET and HEAD methods)

Returns:

SecurityHandler instance

audit

public static SecurityHandler audit()

Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise. Request is audited with event type "request".

Behavior:

• Authentication: not modified (default: disabled)
• Authorization: not modified (default: disabled)
• Audit: enabled for any method this gate is registered on

Returns:

SecurityHandler instance

authenticator

public static SecurityHandler authenticator(String explicitAuthenticator)

Use a named authenticator (as supported by security - if not defined, default authenticator is used).

Behavior:

• Authentication: enabled and required
• Authorization: not modified (default: disabled)
• Audit: not modified (default: enabled except for GET and HEAD methods)

This type replaces for most use cases the SecurityHttpFeature (intentionally has the same class name, so the use cases are re-visited).

This type is discovered automatically by WebServer. To configure it, use the server.features.security configuration node (for mapping of protected paths). Configuration of security itself is still under root node security.

Parameters:

explicitAuthenticator - name of authenticator as configured in Security

Returns:

SecurityHandler instance

See Also:

• SecurityHttpFeature

authorizer

public static SecurityHandler authorizer(String explicitAuthorizer)

Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).

Behavior:

• Authentication: enabled and required
• Authorization: enabled with explicit provider
• Audit: not modified (default: enabled except for GET and HEAD methods)

Parameters:

explicitAuthorizer - name of authorizer as configured in Security

Returns:

SecurityHandler instance

rolesAllowed

public static SecurityHandler rolesAllowed(String... roles)

An array of allowed roles for this path - must have a security provider supporting roles.

Behavior:

• Authentication: enabled and required
• Authorization: enabled
• Audit: not modified (default: enabled except for GET and HEAD methods)

Parameters:

roles - if subject is any of these roles, allow access

Returns:

SecurityHandler instance

allowAnonymous

public static SecurityHandler allowAnonymous()

If called, authentication failure will not abort request and will continue as anonymous (defaults to false).

Behavior:

• Authentication: enabled and optional
• Authorization: not modified (default: disabled)
• Audit: not modified (default: enabled except for GET and HEAD methods)

Returns:

SecurityHandler instance

authorize

public static SecurityHandler authorize()

Enable authorization for this route.

Behavior:

• Authentication: enabled and required
• Authorization: enabled if provider is present
• Audit: not modified (default: enabled except for GET and HEAD methods)

Returns:

SecurityHandler instance

enforce

public static SecurityHandler enforce()

Return a default instance to create a default enforcement point (or modify the result further).

Behavior:

• Authentication: not modified (default: disabled)
• Authorization: not modified (default: disabled)
• Audit: not modified (default: enabled except for GET and HEAD methods)

Returns:

SecurityHandler instance

prototype

public SecurityFeatureConfig prototype()

Specified by:

prototype in interface io.helidon.builder.api.RuntimeType.Api<SecurityFeatureConfig>

name

public String name()

Specified by:

name in interface io.helidon.common.config.NamedService

type

public String type()

Specified by:

type in interface io.helidon.common.config.NamedService

setup

public void setup(ServerFeature.ServerFeatureContext featureContext)

Specified by:

setup in interface ServerFeature