Module io.helidon.security.annotations
Package io.helidon.security.annotations

Annotation Interface Authorized

@Retention(RUNTIME) @Target({METHOD,TYPE,FIELD}) @Documented @Inherited public @interface Authorized
An annotation used to specify server resources with enforced authorization.

The following sample shows examples of use of @Authorized annotation in a JAX-RS/Jersey application: 

  @Authorized
  @Authenticated
  @ApplicationPath("myApp")
  public class SecuredApplication extends jakarta.ws.rs.core.Application { ... }

  @Authorized(false)
  @Path("/")
  public class PublicResource {
    @GET
    public String getResourceContent() { ... }

    // Only authenticated users can update the content of the public resource
    @Authorized
    @PUT
    public Response setNewResourceContent(String content) { ... }
  }

Authorized annotation is not cumulative - e.g. if you define this annotation on a resource method, it will take ALL values from this instance of Authorized (so if you want to use a custom authorization provider, you must define it again in each Authorized instance).

  • Optional Element Summary

    Optional Elements
    Modifier and Type
    Optional Element
    Description
    boolean
    explicit
    By default, authorization is implicit and all annotations are processed before method invocation to authorize access.
    String
    provider
    Explicit authorization provider to use when processing this Authorized.
    boolean
    value
    Determine whether authorization should be enabled.

  • Element Details

    • value

      boolean value
      Determine whether authorization should be enabled. Defaults to true
      Returns:
      true if authorization should be enabled.
      Default:
      true

    • provider

      String provider
      Explicit authorization provider to use when processing this Authorized. Setting this value will ignore security provider configured globally. Value is the name of a configured AuthenticationProvider.
      Returns:
      name of a configured provider
      Default:
      ""

    • explicit

      boolean explicit
      By default, authorization is implicit and all annotations are processed before method invocation to authorize access. In case this is set to true, authorization MUST be invoked manually, calling SecurityContext.authorize(Object...). If set to true the security module will not check authorization; security module still checks that authorization was called. If not, an exception is generated post-processing. For example the Jersey integration will return an internal server error in such a case.
      Returns:
      true if explicit authorization will be invoked in the code, false for implicit (handled by security module)
      Default:
      false