Package io.helidon.security
Interface SecurityContext
-
public interface SecurityContext
Security context to retrieve security information about current user, either injected or obtained fromSecurity.contextBuilder(String)
and to handle programmatic security.
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
SecurityContext.Builder
Fluent API builder forSecurityContext
.
-
Field Summary
Fields Modifier and Type Field Description static Subject
ANONYMOUS
Anonymous subject.static Principal
ANONYMOUS_PRINCIPAL
Anonymous user principal.
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description SecurityClientBuilder<AuthenticationResponse>
atnClientBuilder()
Authenticator client builder to use for programmatic authentication.boolean
atzChecked()
Return true if either of authorization methods (authorize(Object...)
oratzClientBuilder()
was called).SecurityClientBuilder<AuthorizationResponse>
atzClientBuilder()
Authorization client builder to use for programmatic authorization.void
audit(AuditEvent event)
Audit a security event.AuthenticationResponse
authenticate()
Authenticate current request (based on currentSecurityEnvironment
andEndpointConfig
.AuthorizationResponse
authorize(Object... resource)
Authorize access to a resource (or more resources) based on current environment and endpoint configuration.EndpointConfig
endpointConfig()
Current endpoint configuration.void
endpointConfig(EndpointConfig ec)
Set endpoint configuration to use for subsequent security requests.default void
endpointConfig(Supplier<EndpointConfig> epBuilder)
Shortcut method to setEndpointConfig
using a builder rather than built instance.SecurityEnvironment
env()
CurrentSecurityEnvironment
.void
env(SecurityEnvironment env)
Set a new security environment to be used in this context.default void
env(Supplier<SecurityEnvironment> envBuilder)
Set a new security environment to be used int this context.ExecutorService
executorService()
Executor service of the security module.String
id()
Id of this context instance.boolean
isAuthenticated()
Return true if the user is authenticated.boolean
isUserInRole(String role)
Check if user is in specified role if supported by global authorization provider.boolean
isUserInRole(String role, String authorizerName)
Check if user is in specified role if supported by global or specific authorization provider.void
logout()
Logout user, clear current security context.OutboundSecurityClientBuilder
outboundClientBuilder()
Outbound security client builder for programmatic outbound security used for identity propagation, identity mapping, encryption of outbound calls etc.void
runAs(Subject subject, Runnable runnable)
Executes provided code under provided subject.void
runAs(String role, Runnable runnable)
Execute provided code as current user with an additional explicit role added.SecurityRequestBuilder<?>
securityRequestBuilder()
A builder to build aSecurityRequest
.SecurityRequestBuilder<?>
securityRequestBuilder(SecurityEnvironment environment)
A builder to build aSecurityRequest
with a specific environment.SecurityTime
serverTime()
Get time instance, that can be used to obtain current time consistent with the security framework.Optional<Subject>
service()
Returns subject of current context (caller) service or client identity.default String
serviceName()
A helper method to get service name if authenticated.default Optional<Principal>
servicePrincipal()
Returns service principal if service is authenticated.Tracer
tracer()
Provides the tracer to create new spans.SpanContext
tracingSpan()
Provides the span for tracing.Optional<Subject>
user()
Returns subject of current context (caller) user.default String
userName()
A helper method to get user name if authenticated.default Optional<Principal>
userPrincipal()
Returns user principal if user is authenticated.
-
-
-
Field Detail
-
ANONYMOUS_PRINCIPAL
static final Principal ANONYMOUS_PRINCIPAL
Anonymous user principal. This is the user principal used when no user is authenticated (e.g. when a service is authenticated or when fullyANONYMOUS
.
-
ANONYMOUS
static final Subject ANONYMOUS
Anonymous subject. This is the subject you get when not authenticated and a Subject is required..
-
-
Method Detail
-
securityRequestBuilder
SecurityRequestBuilder<?> securityRequestBuilder()
A builder to build aSecurityRequest
.- Returns:
- security request builder
-
securityRequestBuilder
SecurityRequestBuilder<?> securityRequestBuilder(SecurityEnvironment environment)
A builder to build aSecurityRequest
with a specific environment.- Parameters:
environment
- environment to use for this request- Returns:
- security request builder
-
atnClientBuilder
SecurityClientBuilder<AuthenticationResponse> atnClientBuilder()
Authenticator client builder to use for programmatic authentication.- Returns:
- a builder for
SecurityClient
instance providingAuthenticationResponse
-
authenticate
AuthenticationResponse authenticate()
Authenticate current request (based on currentSecurityEnvironment
andEndpointConfig
.- Returns:
- response of authentication operation
-
atzClientBuilder
SecurityClientBuilder<AuthorizationResponse> atzClientBuilder()
Authorization client builder to use for programmatic authorization. Will use existing environment.- Returns:
- a builder for
SecurityClient
instance providingAuthorizationResponse
-
outboundClientBuilder
OutboundSecurityClientBuilder outboundClientBuilder()
Outbound security client builder for programmatic outbound security used for identity propagation, identity mapping, encryption of outbound calls etc.- Returns:
- a builder for
SecurityClient
instance providingOutboundSecurityResponse
-
authorize
AuthorizationResponse authorize(Object... resource)
Authorize access to a resource (or more resources) based on current environment and endpoint configuration.- Parameters:
resource
- resources to authorize access to (may be empty)- Returns:
- response of authorization
-
isAuthenticated
boolean isAuthenticated()
Return true if the user is authenticated. This only cares about USER! not about service. To check if service is authenticated, useservice()
and check the resulting optional.- Returns:
- true for authenticated user, false otherwise (e.g. no subject or
ANONYMOUS
)
-
logout
void logout()
Logout user, clear current security context.
-
isUserInRole
boolean isUserInRole(String role, String authorizerName)
Check if user is in specified role if supported by global or specific authorization provider.- Parameters:
role
- Role to checkauthorizerName
- explicit authorization provider class name to use (or config property pointing to class name)- Returns:
- true if current user is in specified role and current authorization provider supports roles, false otherwise
-
executorService
ExecutorService executorService()
Executor service of the security module.- Returns:
- executor service to use to execute asynchronous tasks related to security
-
isUserInRole
boolean isUserInRole(String role)
Check if user is in specified role if supported by global authorization provider. This method expects global authorization provider is in use. If you explicitly use a custom provider, useisUserInRole(String, String)
instead.- Parameters:
role
- Role to check- Returns:
- true if current user is in specified role and current authorization provider supports roles, false otherwise
-
audit
void audit(AuditEvent event)
Audit a security event. This allows custom auditing events from applications. Note that main security events are already audited (e.g. authentication, authorization, identity propagation and various runAs events).- Parameters:
event
- AuditEvent to store
-
service
Optional<Subject> service()
Returns subject of current context (caller) service or client identity.- Returns:
- current context service (client) subject. If there is no service/client, returns empty.
-
servicePrincipal
default Optional<Principal> servicePrincipal()
Returns service principal if service is authenticated.- Returns:
- current context service principal, or empty if none authenticated
-
serviceName
default String serviceName()
A helper method to get service name if authenticated.- Returns:
- name of currently authenticated service or null.
-
user
Optional<Subject> user()
Returns subject of current context (caller) user.- Returns:
- current context user subject. If there is no authenticated user, returns empty.
-
userPrincipal
default Optional<Principal> userPrincipal()
Returns user principal if user is authenticated.- Returns:
- current context user principal, or empty if none authenticated
-
userName
default String userName()
A helper method to get user name if authenticated.- Returns:
- name of currently authenticated user or null.
-
runAs
void runAs(Subject subject, Runnable runnable)
Executes provided code under provided subject.- Parameters:
subject
- to use for execution. UseANONYMOUS
for anon.runnable
- to execute.
-
runAs
void runAs(String role, Runnable runnable)
Execute provided code as current user with an additional explicit role added.- Parameters:
role
- name of rolerunnable
- to execute
-
tracingSpan
SpanContext tracingSpan()
Provides the span for tracing. This is the span of current context (e.g. parent to security).- Returns:
- Open tracing Span context of current security context
-
tracer
Tracer tracer()
Provides the tracer to create new spans. If you use this, we can control whether tracing is enabled or disabled as part of security. If you useGlobalTracer.get()
you will get around this.- Returns:
Tracer
to build customSpans
. Use in combination withtracingSpan()
to create a nice tree of spans
-
id
String id()
Id of this context instance. Created as security instance id : context id (depends on container integration or id provided by developer).- Returns:
- id uniquely identifying this context
-
serverTime
SecurityTime serverTime()
Get time instance, that can be used to obtain current time consistent with the security framework. This time may be shifted against real time, may have a different time zone, explicit values (for testing). To obtain the decisive time for current request, please useSecurityEnvironment
.- Returns:
- time instance to obtain current time
- See Also:
SecurityTime.get()
-
env
SecurityEnvironment env()
CurrentSecurityEnvironment
. For web, this probably won't change, as the environment is valid for whole request. For other frameworks or standalone applications, this may change over time.- Returns:
- environment of current security context (e.g. to use for ABAC)
-
env
default void env(Supplier<SecurityEnvironment> envBuilder)
Set a new security environment to be used int this context.- Parameters:
envBuilder
- builder to build environment from- See Also:
SecurityEnvironment.derive()
,SecurityEnvironment.builder(SecurityTime)
-
env
void env(SecurityEnvironment env)
Set a new security environment to be used in this context.- Parameters:
env
- environment to use for further security operations- See Also:
SecurityEnvironment.derive()
-
endpointConfig
EndpointConfig endpointConfig()
Current endpoint configuration.- Returns:
- configuration specific to current endpoint (annotations, config, custom object, attributes)
-
endpointConfig
void endpointConfig(EndpointConfig ec)
Set endpoint configuration to use for subsequent security requests.- Parameters:
ec
- configuration specific to current endpoint (annotations, config, custom object, attributes)
-
endpointConfig
default void endpointConfig(Supplier<EndpointConfig> epBuilder)
Shortcut method to setEndpointConfig
using a builder rather than built instance. Shortcut toendpointConfig(EndpointConfig)
- Parameters:
epBuilder
- builder of an endpoint configuration
-
atzChecked
boolean atzChecked()
Return true if either of authorization methods (authorize(Object...)
oratzClientBuilder()
was called). This is a safe-guard for attribute based authorization that is using annotations and requires object to be passed for evaluation.- Returns:
- true if authorization was checked, false otherwise
-
-