Package io.helidon.security


package io.helidon.security

Security

Supports security for web (and possibly other) resources including:
  • Authentication: authenticate a request
  • Authorization: authorize a request to a resource, possibly using ABAC or RBAC.
  • Outbound security: propagating security on outbound calls.
  • Audit: auditing security operations
And security for any resource type when using programmatic approach. Starting point: Security and SecurityContext. Various security aspects are pluggable, using providers to extend functionality.

Bootstrapping

You have two way to do things with security - either load it from configuration or create a fully configured instance using a builder. Both approaches should allow the same behavior.

To create security using builder:
Security.builder() .build()

Or using configuration:
Security.create(io.helidon.config.Config)

Configuration example (Google login for users and http-signatures for service):


 security:
   provider-policy:
     # Composite policy when using more than one provider
     type: "COMPOSITE"
     authentication:
       # This is a frontend service - only allow google authentication
       - name: "google-login"
     outbound:
       # Propagate the goole token and this service's identity to backend
       - name: "google-login"
       - name: "http-signatures"
   providers:
     # Google login button support - authentication and identity propagation provider
     - google-login:
         client-id: "your-google-application-id"
     # Attribute based access control authorization provider
     - abac:
     # HTTP signatures - authentication and identity propagation provider (for service identity)
     - http-signatures:
         outbound:
         - name: "backend"
           hosts: ["localhost"]
           signature:
             key-id: "frontend"
             # password may be encrypted when using secure filter for Helidon config
             hmac.secret: "..."