Module io.helidon.webserver.security
Package io.helidon.webserver.security

Class SecurityFeature

java.lang.Object
io.helidon.webserver.security.SecurityFeature
All Implemented Interfaces:
RuntimeType.Api<io.helidon.webserver.security.SecurityFeatureConfig>, NamedService, ServerFeature
public class SecurityFeature extends Object implements ServerFeature, RuntimeType.Api<io.helidon.webserver.security.SecurityFeatureConfig>
Server feature for security, to be registered with WebServerConfig.BuilderBase.addFeature(io.helidon.webserver.spi.ServerFeature).

This feature adds a filter to register SecurityContext in request Context, and registers HttpRouting.Builder.security(io.helidon.webserver.http.HttpSecurity). If configured, it also adds protection points to endpoints.

  • Method Details

    • builder

      public static io.helidon.webserver.security.SecurityFeatureConfig.Builder builder()
      Fluent API builder to set up an instance.
      Returns:
      a new builder

    • create

      public static SecurityFeature create(io.helidon.webserver.security.SecurityFeatureConfig config)
      Create a new instance from its configuration.
      Parameters:
      config - configuration
      Returns:
      a new feature

    • create

      public static SecurityFeature create(Consumer<io.helidon.webserver.security.SecurityFeatureConfig.Builder> builderConsumer)
      Create a new instance customizing its configuration.
      Parameters:
      builderConsumer - consumer of configuration
      Returns:
      a new feature

    • secure

      public static SecurityHandler secure()
      Secure access using authentication and authorization. Auditing is enabled by default for methods modifying content. When using RBAC (role based access control), just use rolesAllowed(String...). If you use a security provider, that requires additional data, use SecurityHandler.customObject(Object).

      Behavior:

      • Authentication: enabled and required
      • Authorization: enabled if provider configured
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Returns:
      SecurityHandler instance configured with authentication and authorization

    • authenticate

      public static SecurityHandler authenticate()
      If called, request will go through authentication process - defaults to false (even if authorize is true).

      Behavior:

      • Authentication: enabled and required
      • Authorization: not modified (default: disabled)
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Returns:
      SecurityHandler instance

    • audit

      public static SecurityHandler audit()
      Whether to audit this request - defaults to false for GET and HEAD methods, true otherwise. Request is audited with event type "request".

      Behavior:

      • Authentication: not modified (default: disabled)
      • Authorization: not modified (default: disabled)
      • Audit: enabled for any method this gate is registered on
      Returns:
      SecurityHandler instance

    • authenticator

      public static SecurityHandler authenticator(String explicitAuthenticator)
      Use a named authenticator (as supported by security - if not defined, default authenticator is used).

      Behavior:

      • Authentication: enabled and required
      • Authorization: not modified (default: disabled)
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      This type replaces for most use cases the SecurityHttpFeature (intentionally has the same class name, so the use cases are re-visited).

      This type is discovered automatically by WebServer. To configure it, use the server.features.security configuration node (for mapping of protected paths). Configuration of security itself is still under root node security.

      Parameters:
      explicitAuthenticator - name of authenticator as configured in Security
      Returns:
      SecurityHandler instance
      See Also:

    • authorizer

      public static SecurityHandler authorizer(String explicitAuthorizer)
      Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted).

      Behavior:

      • Authentication: enabled and required
      • Authorization: enabled with explicit provider
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Parameters:
      explicitAuthorizer - name of authorizer as configured in Security
      Returns:
      SecurityHandler instance

    • rolesAllowed

      public static SecurityHandler rolesAllowed(String... roles)
      An array of allowed roles for this path - must have a security provider supporting roles.

      Behavior:

      • Authentication: enabled and required
      • Authorization: enabled
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Parameters:
      roles - if subject is any of these roles, allow access
      Returns:
      SecurityHandler instance

    • allowAnonymous

      public static SecurityHandler allowAnonymous()
      If called, authentication failure will not abort request and will continue as anonymous (defaults to false).

      Behavior:

      • Authentication: enabled and optional
      • Authorization: not modified (default: disabled)
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Returns:
      SecurityHandler instance

    • authorize

      public static SecurityHandler authorize()
      Enable authorization for this route.

      Behavior:

      • Authentication: enabled and required
      • Authorization: enabled if provider is present
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Returns:
      SecurityHandler instance

    • enforce

      public static SecurityHandler enforce()
      Return a default instance to create a default enforcement point (or modify the result further).

      Behavior:

      • Authentication: not modified (default: disabled)
      • Authorization: not modified (default: disabled)
      • Audit: not modified (default: enabled except for GET and HEAD methods)
      Returns:
      SecurityHandler instance

    • prototype

      public io.helidon.webserver.security.SecurityFeatureConfig prototype()
      Description copied from interface: RuntimeType.Api
      The prototype as it was received when creating this runtime object instance.
      Specified by:
      prototype in interface RuntimeType.Api<io.helidon.webserver.security.SecurityFeatureConfig>
      Returns:
      prototype object used to create this instance

    • name

      public String name()
      Description copied from interface: NamedService
      Name of this implementation, as provided in ConfiguredProvider.create(Config, String).
      Specified by:
      name in interface NamedService
      Returns:
      name of this service

    • type

      public String type()
      Description copied from interface: NamedService
      Type of this implementation, to distinguish instances of same type, with different NamedService.name(). Use for example ConfiguredProvider.configKey() to define the type.
      Specified by:
      type in interface NamedService
      Returns:
      type of this service

    • setup

      public void setup(ServerFeature.ServerFeatureContext featureContext)
      Description copied from interface: ServerFeature
      Set up a server feature. Server features can modify server configuration, right before the server is created. To access listener configuration, or routing, a list of all listeners is provided.
      Specified by:
      setup in interface ServerFeature
      Parameters:
      featureContext - to access builders of webserver, listeners, and routing