Package io.helidon.webserver.security
Class SecurityHttpFeature
java.lang.Object
io.helidon.webserver.security.SecurityHttpFeature
- All Implemented Interfaces:
Weighted,HttpFeature,HttpSecurity,ServerLifecycle,Comparable<Weighted>,Supplier<HttpFeature>
public final class SecurityHttpFeature
extends Object
implements HttpSecurity, HttpFeature, Weighted
Integration of security into WebServer.
Methods that start with "from" are to register WebSecurity with WebServer
- to create SecurityContext for requests:
Example:
// WebServer routing builder - this is our integration pointHttpRoutingrouting = HttpRouting.builder() // register the WebSecurity to create context (shared by all routes) .register(SecurityHttpFeature.from(security))
Other methods are to create security enforcement points (gates) for routes (e.g. you are expected to use them for a get, post
etc. routes on specific path).
These methods are starting points that provide an instance of SecurityHandler that has finer grained methods to
control the gate behavior.
Note that if any gate is configured, auditing will be enabled by default except for GET and HEAD methods - if you want
to audit any method, invoke SecurityFeature.audit() to create a gate that will always audit the route.
If you want to create a gate and not audit it, use SecurityHandler.skipAudit() on the returned instance.
SecurityFeature.secure()- authentication and authorizationSecurityFeature.rolesAllowed(String...)- role based access control (implies authentication and authorization)SecurityFeature.authenticate()- authentication onlySecurityFeature.authorize()- authorization onlySecurityFeature.allowAnonymous()- authentication optionalSecurityFeature.audit()- audit all requests (including GET and HEAD)SecurityFeature.authenticator(String)- use explicit authenticator (named - as configured in config or through builder)SecurityFeature.authorizer(String)- use explicit authorizer (named - as configured in config or through builder)SecurityFeature.enforce()- use defaults (e.g. no authentication, authorization, audit calls except for GET and HEAD); this also give access to more fine-grained methods ofSecurityHandler
Example:
// continue from example above...
// create a gate for method GET: authenticate all paths under /user and require role "user" for authorization
.get("/user[/{*}]", WebSecurity.rolesAllowed("user"))
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringSecurity can accept additional headers to be added to security request.static final StringSecurity can accept additional headers to be added to security request.Fields inherited from interface io.helidon.common.Weighted
DEFAULT_WEIGHT -
Method Summary
Modifier and TypeMethodDescriptionbooleanauthenticate(ServerRequest request, ServerResponse response, boolean requiredHint) Authenticates the current request according to security configuration.booleanauthorize(ServerRequest request, ServerResponse response, String... roleHint) Authorize the current request according to security configuration.static SecurityHttpFeatureCreate a consumer of routing config to beregisteredwith web server routing to process security requests.static SecurityHttpFeatureCreate a consumer of routing config to beregisteredwith web server routing to process security requests.securityDefaults(SecurityHandler defaultHandler) Create a new web security instance using the default handler as base defaults for all handlers used.voidsetup(HttpRouting.Builder rules) Method to set up a feature.doubleweight()Weight of this class (maybe because it is defined dynamically, so it cannot be defined by an annotation).Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface io.helidon.webserver.http.HttpFeature
get, socket, socketRequiredMethods inherited from interface io.helidon.webserver.ServerLifecycle
afterStop, beforeStart
-
Field Details
-
CONTEXT_ADD_HEADERS
Security can accept additional headers to be added to security request. This will be used to obtain multivalue string map (a map of string to list of strings) from context (appropriate to the integration).- See Also:
-
CONTEXT_RESPONSE_HEADERS
Security can accept additional headers to be added to security request. This will be used to propagate additional headers from successful security response to the final server response.- See Also:
-
-
Method Details
-
create
Create a consumer of routing config to beregisteredwith web server routing to process security requests. This method is to be used together with other routing methods to protect web resources programmatically. Example:.get("/user[/{*}]", WebSecurity.authenticate() .rolesAllowed("user"))- Parameters:
security- initialized security- Returns:
- routing config consumer
-
create
Create a consumer of routing config to beregisteredwith web server routing to process security requests. This method configures security and web server integration from a config instance.- Parameters:
config- on the node of the server configuration of security (expectspathsfor example), configuration of security is expected under root nodesecurity- Returns:
- routing config consumer
-
securityDefaults
Create a new web security instance using the default handler as base defaults for all handlers used. If handlers are loaded from config, than this is the least significant value.- Parameters:
defaultHandler- if a security handler is configured for a route, it will take its defaults from this handler- Returns:
- new instance of web security with the handler default
-
setup
Description copied from interface:HttpFeatureMethod to set up a feature.- Specified by:
setupin interfaceHttpFeature- Parameters:
rules- routing builder
-
authenticate
public boolean authenticate(ServerRequest request, ServerResponse response, boolean requiredHint) throws UnauthorizedException Description copied from interface:HttpSecurityAuthenticates the current request according to security configuration. When there is no security implementation present, and required hint is set tofalsethis is a no-op.- Specified by:
authenticatein interfaceHttpSecurity- Parameters:
request- server request to read data for authenticationresponse- server responserequiredHint- whether authentication is expected- Returns:
- whether you should continue with other tasks in this request, if
falseis returned, the response was already sent, and you should immediately return without modifying it - Throws:
UnauthorizedException- when authentication was expected but could not be resolved
-
authorize
public boolean authorize(ServerRequest request, ServerResponse response, String... roleHint) throws ForbiddenException Description copied from interface:HttpSecurityAuthorize the current request according to security configuration. When there is no security implementation present and there are no roles defined, this is a no-op; if roles are defined this method throwsForbiddenExceptionby default.- Specified by:
authorizein interfaceHttpSecurity- Parameters:
request- server request to read data for authorizationresponse- server responseroleHint- the use should have at least one of the roles specified (only used when the security is configured to support roles)- Returns:
- whether you should continue with other tasks in this request, if
falseis returned, the response was already sent, and you should immediately return without modifying it - Throws:
ForbiddenException- when authorization failed and this request cannot proceed
-
weight
public double weight()Description copied from interface:WeightedWeight of this class (maybe because it is defined dynamically, so it cannot be defined by an annotation). If not dynamic, you can use theWeightannotation rather than implementing this interface as long as it is supported by the library using thisWeighted.
-