Package io.helidon.security.abac.policy
Class PolicyValidator
java.lang.Object
io.helidon.security.abac.policy.PolicyValidator
- All Implemented Interfaces:
AbacValidator<PolicyValidator.PolicyConfig>
public final class PolicyValidator
extends Object
implements AbacValidator<PolicyValidator.PolicyConfig>
Abac validator based on a
PolicyValidator.PolicyStatement
. The statement itself is not resolved by this validator
and is delegated to another module implementing the PolicyExecutor
obtained through a PolicyExecutorService
java service.
Implementations provided by Helidon security:
- Java EE expression language support, artifact id: "helidon-security-abac-policy-el"
@PolicyStatement("${env.time.year >= 2017 && object.owner == subject.principal.id}")
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
A fluent API builder forPolicyValidator
.static final class
Configuration of policy validator - a statement and whether to inherit value from parents.static @interface
Annotate resource classes, methods, application etc. -
Method Summary
Modifier and TypeMethodDescriptionstatic PolicyValidator.Builder
builder()
Creates a fluent API builder to build new instances of this class.Class of the configuration type.Key of a configuration entry that maps to this validator's configuration.static PolicyValidator
Create an instance from configuration.fromAnnotations
(EndpointConfig endpointConfig) Load configuration class instance from annotations this validator expects.fromConfig
(Config config) Load configuration class instance fromConfig
.Collection<Class<? extends Annotation>>
Provide extension annotations supported by this validator (e.g.void
validate
(PolicyValidator.PolicyConfig config, Errors.Collector collector, ProviderRequest request) Validate that the configuration provided would grant access to the resource.
-
Method Details
-
builder
Creates a fluent API builder to build new instances of this class.- Returns:
- a new builder instance
-
create
Create an instance from configuration. Example:# configuration of this validator (current key in config passed to this instance) policy-validator: # explicit validators - only needed if not implementing service interface
PolicyExecutorService
validators: - class: "io.helidon.security.abac.policy.DefaultPolicyValidator" - class: "..." # configuration of a policy executor - provide this name throughPolicyExecutorService.configKey()
my-custom-policy-engine: some-key: "some value" another-key: "another value"- Parameters:
config
- configuration to load this class from- Returns:
- a new instance from config
-
supportedAnnotations
Description copied from interface:AbacValidator
Provide extension annotations supported by this validator (e.g.RolesAllowed
). Annotations will be collected according to framework in use. For JAX-RS, annotations from application class, resource class and resource methods will be collected. The annotations will be transformed to configuration byAbacValidator.fromAnnotations(EndpointConfig)
.- Specified by:
supportedAnnotations
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Returns:
- Collection of annotations this provider expects.
-
configClass
Description copied from interface:AbacValidator
Class of the configuration type.- Specified by:
configClass
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Returns:
- class of the type
-
configKey
Description copied from interface:AbacValidator
Key of a configuration entry that maps to this validator's configuration.- Specified by:
configKey
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Returns:
- key in a config
Config
-
fromConfig
Description copied from interface:AbacValidator
Load configuration class instance fromConfig
.- Specified by:
fromConfig
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Parameters:
config
- configuration located on the key this validator expects inAbacValidator.configKey()
- Returns:
- instance of configuration class
-
fromAnnotations
Description copied from interface:AbacValidator
Load configuration class instance from annotations this validator expects.- Specified by:
fromAnnotations
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Parameters:
endpointConfig
- endpoint config- Returns:
- instance of configuration class
-
validate
public void validate(PolicyValidator.PolicyConfig config, Errors.Collector collector, ProviderRequest request) Description copied from interface:AbacValidator
Validate that the configuration provided would grant access to the resource. Update collector with errors, if access should be denied usingErrors.Collector.fatal(Object, String)
.- Specified by:
validate
in interfaceAbacValidator<PolicyValidator.PolicyConfig>
- Parameters:
config
- configuration of this validatorcollector
- error collector to gather issues with this request (e.g. "service not in role ABC")request
- ABAC context containing subject(s), object(s) and environment
-