Module io.helidon.security.abac.policy

Package io.helidon.security.abac.policy

Class PolicyValidator

java.lang.Object

io.helidon.security.abac.policy.PolicyValidator

All Implemented Interfaces:

AbacValidator<PolicyValidator.PolicyConfig>

public final class PolicyValidator
extends Object
implements AbacValidator<PolicyValidator.PolicyConfig>

Abac validator based on a PolicyValidator.PolicyStatement. The statement itself is not resolved by this validator and is delegated to another module implementing the PolicyExecutor obtained through a PolicyExecutorService java service.

Implementations provided by Helidon security:

• Java EE expression language support, artifact id: "helidon-security-abac-policy-el"

Example of a policy statement:
@PolicyStatement("${env.time.year >= 2017 && object.owner == subject.principal.id}")

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	PolicyValidator.Builder	A fluent API builder for PolicyValidator.
static final class	PolicyValidator.PolicyConfig	Configuration of policy validator - a statement and whether to inherit value from parents.
static @interface	PolicyValidator.PolicyStatement	Annotate resource classes, methods, application etc.

Method Summary

Modifier and Type	Method	Description
static PolicyValidator.Builder	builder()	Creates a fluent API builder to build new instances of this class.
Class<PolicyValidator.PolicyConfig>	configClass()	Class of the configuration type.
String	configKey()	Key of a configuration entry that maps to this validator's configuration.
static PolicyValidator	create(Config config)	Create an instance from configuration.
PolicyValidator.PolicyConfig	fromAnnotations(EndpointConfig endpointConfig)	Load configuration class instance from annotations this validator expects.
PolicyValidator.PolicyConfig	fromConfig(Config config)	Load configuration class instance from Config.
Collection<Class<? extends Annotation>>	supportedAnnotations()	Provide extension annotations supported by this validator (e.g.
void	validate(PolicyValidator.PolicyConfig config, Errors.Collector collector, ProviderRequest request)	Validate that the configuration provided would grant access to the resource.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

builder

public static PolicyValidator.Builder builder()

Creates a fluent API builder to build new instances of this class.

Returns:

a new builder instance

create

public static PolicyValidator create(Config config)

Create an instance from configuration. Example:

 # configuration of this validator (current key in config passed to this instance)
 policy-validator:
   # explicit validators - only needed if not implementing service interface PolicyExecutorService
   validators:
     - class: "io.helidon.security.abac.policy.DefaultPolicyValidator"
     - class: "..."
   # configuration of a policy executor - provide this name through PolicyExecutorService.configKey()
   my-custom-policy-engine:
     some-key: "some value"
     another-key: "another value"
 

Parameters:

config - configuration to load this class from

Returns:

a new instance from config

supportedAnnotations

public Collection<Class<? extends Annotation>> supportedAnnotations()

Description copied from interface: AbacValidator

Provide extension annotations supported by this validator (e.g. RolesAllowed). Annotations will be collected according to framework in use. For JAX-RS, annotations from application class, resource class and resource methods will be collected. The annotations will be transformed to configuration by AbacValidator.fromAnnotations(EndpointConfig).

Specified by:

supportedAnnotations in interface AbacValidator<PolicyValidator.PolicyConfig>

Returns:

Collection of annotations this provider expects.

configClass

public Class<PolicyValidator.PolicyConfig> configClass()

Description copied from interface: AbacValidator

Class of the configuration type.

Specified by:

configClass in interface AbacValidator<PolicyValidator.PolicyConfig>

Returns:

class of the type

configKey

public String configKey()

Description copied from interface: AbacValidator

Key of a configuration entry that maps to this validator's configuration.

Specified by:

configKey in interface AbacValidator<PolicyValidator.PolicyConfig>

Returns:

key in a config Config

fromConfig

public PolicyValidator.PolicyConfig fromConfig(Config config)

Description copied from interface: AbacValidator

Load configuration class instance from Config.

Specified by:

fromConfig in interface AbacValidator<PolicyValidator.PolicyConfig>

Parameters:

config - configuration located on the key this validator expects in AbacValidator.configKey()

Returns:

instance of configuration class

fromAnnotations

public PolicyValidator.PolicyConfig fromAnnotations(EndpointConfig endpointConfig)

Description copied from interface: AbacValidator

Load configuration class instance from annotations this validator expects.

Specified by:

fromAnnotations in interface AbacValidator<PolicyValidator.PolicyConfig>

Parameters:

endpointConfig - endpoint config

Returns:

instance of configuration class

validate

public void validate(PolicyValidator.PolicyConfig config,
 Errors.Collector collector,
 ProviderRequest request)

Description copied from interface: AbacValidator

Validate that the configuration provided would grant access to the resource. Update collector with errors, if access should be denied using Errors.Collector.fatal(Object, String).

Specified by:

validate in interface AbacValidator<PolicyValidator.PolicyConfig>

Parameters:

config - configuration of this validator

collector - error collector to gather issues with this request (e.g. "service not in role ABC")

request - ABAC context containing subject(s), object(s) and environment