Package io.helidon.security

Interface SecurityContext

  • public interface SecurityContext
    Security context to retrieve security information about current user, either injected or obtained from Security.contextBuilder(String) and to handle programmatic security.

    • Field Detail

      • ANONYMOUS_PRINCIPAL

        static final Principal ANONYMOUS_PRINCIPAL
        Anonymous user principal. This is the user principal used when no user is authenticated (e.g. when a service is authenticated or when fully ANONYMOUS.

      • ANONYMOUS

        static final Subject ANONYMOUS
        Anonymous subject. This is the subject you get when not authenticated and a Subject is required..

    • Method Detail

      • authorize

        AuthorizationResponse authorize​(Object... resource)
        Authorize access to a resource (or more resources) based on current environment and endpoint configuration.
        Parameters:
        resource - resources to authorize access to (may be empty)
        Returns:
        response of authorization

      • isAuthenticated

        boolean isAuthenticated()
        Return true if the user is authenticated. This only cares about USER! not about service. To check if service is authenticated, use service() and check the resulting optional.
        Returns:
        true for authenticated user, false otherwise (e.g. no subject or ANONYMOUS)

      • logout

        void logout()
        Logout user, clear current security context.

      • isUserInRole

        boolean isUserInRole​(String role,
                     String authorizerName)
        Check if user is in specified role if supported by global or specific authorization provider.
        Parameters:
        role - Role to check
        authorizerName - explicit authorization provider class name to use (or config property pointing to class name)
        Returns:
        true if current user is in specified role and current authorization provider supports roles, false otherwise

      • executorService

        ExecutorService executorService()
        Executor service of the security module.
        Returns:
        executor service to use to execute asynchronous tasks related to security

      • isUserInRole

        boolean isUserInRole​(String role)
        Check if user is in specified role if supported by global authorization provider. This method expects global authorization provider is in use. If you explicitly use a custom provider, use isUserInRole(String, String) instead.
        Parameters:
        role - Role to check
        Returns:
        true if current user is in specified role and current authorization provider supports roles, false otherwise

      • audit

        void audit​(AuditEvent event)
        Audit a security event. This allows custom auditing events from applications. Note that main security events are already audited (e.g. authentication, authorization, identity propagation and various runAs events).
        Parameters:
        event - AuditEvent to store

      • service

        Optional<Subject> service()
        Returns subject of current context (caller) service or client identity.
        Returns:
        current context service (client) subject. If there is no service/client, returns empty.

      • servicePrincipal

        default Optional<Principal> servicePrincipal()
        Returns service principal if service is authenticated.
        Returns:
        current context service principal, or empty if none authenticated

      • serviceName

        default String serviceName()
        A helper method to get service name if authenticated.
        Returns:
        name of currently authenticated service or null.

      • user

        Optional<Subject> user()
        Returns subject of current context (caller) user.
        Returns:
        current context user subject. If there is no authenticated user, returns empty.

      • userPrincipal

        default Optional<Principal> userPrincipal()
        Returns user principal if user is authenticated.
        Returns:
        current context user principal, or empty if none authenticated

      • userName

        default String userName()
        A helper method to get user name if authenticated.
        Returns:
        name of currently authenticated user or null.

      • runAs

        void runAs​(Subject subject,
           Runnable runnable)
        Executes provided code under provided subject.
        Parameters:
        subject - to use for execution. Use ANONYMOUS for anon.
        runnable - to execute.

      • runAs

        void runAs​(String role,
           Runnable runnable)
        Execute provided code as current user with an additional explicit role added.
        Parameters:
        role - name of role
        runnable - to execute

      • tracingSpan

        SpanContext tracingSpan()
        Provides the span for tracing. This is the span of current context (e.g. parent to security).
        Returns:
        Open tracing Span context of current security context

      • tracer

        Tracer tracer()
        Provides the tracer to create new spans. If you use this, we can control whether tracing is enabled or disabled as part of security. If you use GlobalTracer.get() you will get around this.
        Returns:
        Tracer to build custom Spans. Use in combination with tracingSpan() to create a nice tree of spans

      • id

        String id()
        Id of this context instance. Created as security instance id : context id (depends on container integration or id provided by developer).
        Returns:
        id uniquely identifying this context

      • serverTime

        SecurityTime serverTime()
        Get time instance, that can be used to obtain current time consistent with the security framework. This time may be shifted against real time, may have a different time zone, explicit values (for testing). To obtain the decisive time for current request, please use SecurityEnvironment.
        Returns:
        time instance to obtain current time
        See Also:
        SecurityTime.get()

      • env

        SecurityEnvironment env()
        Current SecurityEnvironment. For web, this probably won't change, as the environment is valid for whole request. For other frameworks or standalone applications, this may change over time.
        Returns:
        environment of current security context (e.g. to use for ABAC)

      • endpointConfig

        EndpointConfig endpointConfig()
        Current endpoint configuration.
        Returns:
        configuration specific to current endpoint (annotations, config, custom object, attributes)

      • endpointConfig

        void endpointConfig​(EndpointConfig ec)
        Set endpoint configuration to use for subsequent security requests.
        Parameters:
        ec - configuration specific to current endpoint (annotations, config, custom object, attributes)

      • atzChecked

        boolean atzChecked()
        Return true if either of authorization methods (authorize(Object...) or atzClientBuilder() was called). This is a safe-guard for attribute based authorization that is using annotations and requires object to be passed for evaluation.
        Returns:
        true if authorization was checked, false otherwise