Class SecurityEnvironment

  • All Implemented Interfaces:

    public class SecurityEnvironment
    extends Object
    implements AbacSupport
    Security environment is a set of attributes that are stable for an interaction (usually a request in our case). Environment can be re-used for multiple security request (e.g authentication, authorization). Access to environment is either through methods (for known attributes) or through generic AbacSupport.abacAttribute(String) methods for any property configured by integration component.

    The following properties are available (known):

    • time: decision time of the current request (e.g. when checking that this is within business hours
    • uri: target URI that was requested
    • path: path that was requested
    • method: method of the request
    • transport: transport of the request (e.g. http)
    • headers: transport headers of the request (map)
    • Method Detail

      • builder

        public static SecurityEnvironment.Builder builder​(SecurityTime serverTime)
        Creates a fluent API builder to build new instances of this class.
        serverTime - Time to use to obtain current time
        a builder instance
      • builder

        public static SecurityEnvironment.Builder builder()
        Creates a fluent API builder to build new instances of this class with current time.
        a builder instance
      • create

        public static SecurityEnvironment create()
        Create a new instance of security environment with all default values.
        environment instance
      • abacAttributeRaw

        public Object abacAttributeRaw​(String key)
        Description copied from interface: AbacSupport
        Return the actual property value or null if not present. This is the only method that needs to be implemented.
        Specified by:
        abacAttributeRaw in interface AbacSupport
        key - key (name) of the property
        value of the property or null
      • time

        public ZonedDateTime time()
        Time on the server this environment was created for current request. This should be treated as the "decisive" time of the request for security evaluation. This can be configured - e.g. there can be a time-shift (moving time by a specific amount of seconds to the past or to the future), or an explicit value (e.g. setting the time to 14:00 e.g. for testing purposes).
        server time that should be used to make security decisions
        See Also:
      • targetUri

        public URI targetUri()
        Get the URI of the resource requested. For inbound request, this contains the requested URI by remote client (or as close to the original one as we can get), for outbound requests, this contains the actual URI as configured by client to be called on remote server. TODO if we use service registry, we must have access to the actual endpoint (as signatures may require signing of URI with the real host and port). Either this method MUST return a resolved URI, or we MUST have access to registry and enforce an endpoint (when resolved).
        URI being called or URI to be called
      • path

        public Optional<String> path()
        Path to the resource. For jax-rs, this is relative URI.
        Path to the resource
      • method

        public String method()
        Verb to execute on the resource. For http, this is HTTP method (PUT, GET, DELETE, POST....)
        Verb executing on the resource, default is GET
      • transport

        public String transport()
        Return type of transport (such as http, https, jms etc.). Transport should be case insensitive, yet I recommend using all lower case. For the purpose of this method, http and https are two separate transports!
        transport used for this request. Defaults to http.
      • derive

        public SecurityEnvironment.Builder derive()
        Derive a new environment builder based on this environment.
        builder to build a new environment overriding only needed values with a new timestamp
      • headers

        public Map<String,​List<String>> headers()
        Transport headers that can be used to process the message. The headers stand here as a generalization - they cover all metadata sent with each request that is not described elsewhere. For HTTP, this would cover: all HTTP headers (done automatically by integration components), on-demand query parameters (must be explicitly configured and supported by integration component), on-demand form parameters (must be explicitly configured and supported by integration component). For JMS, this would cover: all JMS headers (in string form - byte[] should be base64 encoded). Other protocols must choose a reasonable way to transfer a request/response message into headers and entity.
        Header map. If transport protocol does not support headers, map will be empty