Module io.helidon.security

Package io.helidon.security

Security

Supports security for web (and possibly other) resources including:

• Authentication: authenticate a request
• Authorization: authorize a request to a resource, possibly using ABAC or RBAC.
• Outbound security: propagating security on outbound calls.
• Audit: auditing security operations

And security for any resource type when using programmatic approach. Starting point: Security and SecurityContext. Various security aspects are pluggable, using providers to extend functionality.

Bootstrapping

You have two way to do things with security - either load it from configuration or create a fully configured instance using a builder. Both approaches should allow the same behavior.

To create security using builder:
Security.builder() .build()

Or using configuration:
Security.create(io.helidon.config.Config)

Configuration example (Google login for users and http-signatures for service):

 security:
   provider-policy:
     # Composite policy when using more than one provider
     type: "COMPOSITE"
     authentication:
       # This is a frontend service - only allow google authentication
       - name: "google-login"
     outbound:
       # Propagate the goole token and this service's identity to backend
       - name: "google-login"
       - name: "http-signatures"
   providers:
     # Google login button support - authentication and identity propagation provider
     - google-login:
         client-id: "your-google-application-id"
     # Attribute based access control authorization provider
     - abac:
     # HTTP signatures - authentication and identity propagation provider (for service identity)
     - http-signatures:
         outbound:
         - name: "backend"
           hosts: ["localhost"]
           signature:
             key-id: "frontend"
             # password may be encrypted when using secure filter for Helidon config
             hmac.secret: "..."
 

Interface Summary

Interface	Description
AuditEvent	An audit event to store using an Audit provider.
Principal	A security principal.
SecretsProviderConfig	Marker interface for configuration of secrets providers.
SecurityClient<T extends SecurityResponse>	Common methods for security clients.
SecurityContext	Security context to retrieve security information about current user, either injected or obtained from Security.contextBuilder(String) and to handle programmatic security.
SecurityRequest	Common methods for all security requests (authentication, authorization, and identity propagation).

Class Summary

Class	Description
AuditEvent.AuditParam	Named parameters of audit event.
AuthenticationResponse	Response as returned from an authentication provider.
AuthenticationResponse.Builder	Authentication response builder.
AuthorizationResponse	Response from an authorization decision.
AuthorizationResponse.Builder	Builder for custom Authorization responses.
ClassToInstanceStore<T>	Map of classes to their instances.
CompositeProviderSelectionPolicy	A provider selection policy that supports composing multiple providers (current Authentication and Outbound) into a single virtual security provider.
CompositeProviderSelectionPolicy.Builder	Fluent API builder to create CompositeProviderSelectionPolicy.
EndpointConfig	Each endpoint can have security configuration either statically declared (e.g.
EndpointConfig.Builder	A fluent API builder for EndpointConfig.
Grant	A concept representing anything that can be granted to a subject.
Grant.Builder<T extends Grant.Builder<T>>	A fluent API builder for Grant to be extended by other Grant implementations.
NamedProvider<T extends SecurityProvider>	A wrapper for a named security provider.
OutboundSecurityClientBuilder	Builder constructing a security client - extends the SecurityRequestBuilder for convenience.
OutboundSecurityResponse	Response of outbound security provider.
OutboundSecurityResponse.Builder	Builder class to build custom identity propagation responses.
Principal.Builder	A fluent API builder for Principal.
ProviderRequest	A request sent to security providers.
QueryParamMapping	Definition of a map to bind a query param to a header.
Role	A security role used in RBAC (role based access control) schemes.
Role.Builder	A fluent API builder for Role.
Security	This class is used to "bootstrap" security and integrate it with other frameworks; runtime main entry point is SecurityContext.
Security.Builder	Builder pattern class for helping create Security in a convenient way.
SecurityClientBuilder<T extends SecurityResponse>	Builder constructing a security client - extends the SecurityRequestBuilder for convenience.
SecurityContext.Builder	Fluent API builder for SecurityContext.
SecurityEnvironment	Security environment is a set of attributes that are stable for an interaction (usually a request in our case).
SecurityEnvironment.Builder	A fluent API builder for SecurityEnvironment.
SecurityLevel	Security level stores annotations bound to the specific class and method.
SecurityLevel.SecurityLevelBuilder	Builder for SecurityLevel class.
SecurityRequestBuilder<T extends SecurityRequestBuilder<T>>	Fluent API to build a security request.
SecurityResponse	Response from security provider (and security Module).
SecurityTime	Time used in security, configurable.
SecurityTime.Builder	Fluent API builder for SecurityTime.
Subject	A security subject, representing a user or a service.
Subject.Builder	A fluent API builder for Subject.

Enum Summary

Enum	Description
AuditEvent.AuditSeverity	Severity of AuditEvent.
CompositeProviderFlag	Flag driving resolution of providers.
EndpointConfig.AnnotationScope	Scope of annotations used in applications that integrate security.
SecurityResponse.SecurityStatus	Status of a security operation.
SubjectType	Type of principal.

Exception Summary

Exception	Description
SecurityException	Runtime exception used as by this module to be able to identify exception caused by it.