Module io.helidon.security
Package io.helidon.security

Class Security

    • Field Detail

      • HEADER_ORIG_URI

        public static final String HEADER_ORIG_URI
        Integration should add a special header to each request. The value will contain the original URI as was issued - for HTTP this is the relative URI including query parameters.
        See Also:
        Constant Field Values

    • Method Detail

      • create

        public static Security create​(Config config)
        Creates new instance based on configuration values.

        Parameters:
        config - Config instance located on security configuration ("providers" is an expected child)
        Returns:
        new instance.

      • builder

        public static Security.Builder builder​(Config config)
        Creates new instance based on configuration values.

        Parameters:
        config - Config instance located on security configuration ("providers" is an expected child)
        Returns:
        new instance.

      • getRoles

        public static Set<String> getRoles​(Subject subject)
        Get a set of roles the subject has, based on Role. This is the set of roles as assumed by authentication provider. Authorization providers may use a different set of roles (and context used authorization provider to check SecurityContext.isUserInRole(String)).
        Parameters:
        subject - Subject of a user/service
        Returns:
        set of roles the user/service is in

      • serverTime

        public SecurityTime serverTime()
        Time that is decisive for the server. This usually returns accessor to current time in a specified time zone.

        SecurityTime may be configured to a fixed point in time, intended for testing purposes.

        Returns:
        time to access current time for security decisions

      • contextBuilder

        public SecurityContext.Builder contextBuilder​(String id)
        Create a new security context builder to build and instance. This is expected to be invoked for each request/response exchange that may be authenticated, authorized etc. Context holds the security subject... Once your processing is done and you no longer want to keep security context, call SecurityContext.logout() to clear subject and principals.
        Parameters:
        id - to use when logging, auditing etc. (e.g. some kind of tracing id). If none or empty, security instance UUID will be used (at least to map all audit records for a single instance of security component). If defined, security will prefix this id with security instance UUID
        Returns:
        new fluent API builder to create a SecurityContext

      • createContext

        public SecurityContext createContext​(String id)
        Create a new security context with the defined id and all defaults.
        Parameters:
        id - id of this context
        Returns:
        new security context

      • tracer

        public Tracer tracer()
        Returns a tracer that can be used to construct new spans.
        Returns:
        Tracer, may be a no-op tracer if tracing is disabled

      • customAnnotations

        public Collection<Class<? extends Annotation>> customAnnotations()
        Get the complete set of annotations expected by (all) security providers configured. This is to be used for integration with other frameworks that support annotations.
        Returns:
        Collection of annotations expected by configured providers.

      • configFor

        public Config configFor​(String child)
        The configuration of security.

        This method will NOT return security internal configuration:

        • provider-policy
        • providers
        • environment
        Parameters:
        child - the name of the child node to retrieve from config
        Returns:
        a child node of security configuration
        Throws:
        IllegalArgumentException - in case you request child in one of the forbidden trees

      • encrypt

        public Single<String> encrypt​(String configurationName,
                              byte[] bytesToEncrypt)
        Encrypt bytes. This method handles the bytes in memory, and as such is not suitable for processing of large amounts of data.
        Parameters:
        configurationName - name of the configuration of this encryption
        bytesToEncrypt - bytes to encrypt
        Returns:
        future with cipher text

      • decrypt

        public Single<byte[]> decrypt​(String configurationName,
                              String cipherText)
        Decrypt cipher text. This method handles the bytes in memory, and as such is not suitable for processing of large amounts of data.
        Parameters:
        configurationName - name of the configuration of this encryption
        cipherText - cipher text to decrypt
        Returns:
        future with decrypted bytes

      • digest

        public Single<String> digest​(String configurationName,
                             byte[] bytesToDigest,
                             boolean preHashed)
        Create a digest for the provided bytes.
        Parameters:
        configurationName - name of the digest configuration
        bytesToDigest - data to digest
        preHashed - whether the data is already a hash
        Returns:
        future with digest (such as signature or HMAC)

      • digest

        public Single<String> digest​(String configurationName,
                             byte[] bytesToDigest)
        Create a digest for the provided raw bytes.
        Parameters:
        configurationName - name of the digest configuration
        bytesToDigest - data to digest
        Returns:
        future with digest (such as signature or HMAC)

      • verifyDigest

        public Single<Boolean> verifyDigest​(String configurationName,
                                    byte[] bytesToDigest,
                                    String digest,
                                    boolean preHashed)
        Verify a digest.
        Parameters:
        configurationName - name of the digest configuration
        bytesToDigest - data to verify a digest for
        digest - digest as provided by a third party (or another component)
        preHashed - whether the data is already a hash
        Returns:
        future with result of verification (true means the digest is valid)

      • verifyDigest

        public Single<Boolean> verifyDigest​(String configurationName,
                                    byte[] bytesToDigest,
                                    String digest)
        Verify a digest.
        Parameters:
        configurationName - name of the digest configuration
        bytesToDigest - raw data to verify a digest for
        digest - digest as provided by a third party (or another component)
        Returns:
        future with result of verification (true means the digest is valid)

      • secret

        public Single<Optional<String>> secret​(String configurationName)
        Get a secret.
        Parameters:
        configurationName - name of the secret configuration
        Returns:
        future with the secret value, or error if the secret is not configured

      • secret

        public Single<String> secret​(String configurationName,
                             String defaultValue)
        Get a secret.
        Parameters:
        configurationName - name of the secret configuration
        defaultValue - default value to use if secret not configured
        Returns:
        future with the secret value

      • environmentBuilder

        public SecurityEnvironment.Builder environmentBuilder()
        Security environment builder, to be used to create environment for evaluating security in integration components.
        Returns:
        builder to build SecurityEnvironment

      • enabled

        public boolean enabled()
        Whether security is enabled or disabled. Disabled security does not check authorization and authenticates all users as SecurityContext.ANONYMOUS.
        Returns:
        true if security is enabled