Module io.helidon.security.integration.grpc
Package io.helidon.security.integration.grpc

Class GrpcSecurityHandler

java.lang.Object
io.helidon.security.integration.grpc.GrpcSecurityHandler
All Implemented Interfaces:
io.grpc.ServerInterceptor, ServiceDescriptor.Configurer
@Priority(1000) public class GrpcSecurityHandler extends Object implements io.grpc.ServerInterceptor, ServiceDescriptor.Configurer
Handles security for the gRPC server. This handler is registered either by hand on the gRPC routing config, or automatically from configuration when integration is done through GrpcSecurity.create(Config) or GrpcSecurity.create(Security).

This class is an implementation of a ServerInterceptor with a priority of InterceptorPriorities.CONTEXT that will add itself to the call context with the key GrpcSecurity.GRPC_SECURITY_HANDLER. This will then cause the GrpcSecurity interceptor that runs later with a priority of InterceptorPriorities.AUTHENTICATION to use this instance of the handler.

  • Method Details

    • configure

      public void configure(ServiceDescriptor.Rules rules)
      Modifies a ServiceDescriptor.Rules to add this GrpcSecurityHandler.
      Specified by:
      configure in interface ServiceDescriptor.Configurer
      Parameters:
      rules - the ServiceDescriptor.Rules to modify

    • interceptCall

      public <ReqT, RespT> io.grpc.ServerCall.Listener<ReqT> interceptCall(io.grpc.ServerCall<ReqT,RespT> call, io.grpc.Metadata headers, io.grpc.ServerCallHandler<ReqT,RespT> next)
      Specified by:
      interceptCall in interface io.grpc.ServerInterceptor

    • authenticator

      public GrpcSecurityHandler authenticator(String explicitAuthenticator)
      Use a named authenticator (as supported by security - if not defined, default authenticator is used). Will enable authentication.
      Parameters:
      explicitAuthenticator - name of authenticator as configured in Security
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authorizer

      public GrpcSecurityHandler authorizer(String explicitAuthorizer)
      Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted). Will enable authorization.
      Parameters:
      explicitAuthorizer - name of authorizer as configured in Security
      Returns:
      new handler instance with configuration of this instance updated with this method

    • rolesAllowed

      public GrpcSecurityHandler rolesAllowed(String... roles)
      An array of allowed roles for this path - must have a security provider supporting roles (either authentication or authorization provider). This method enables authentication and authorization (you can disable them again by calling skipAuthorization() and skipAuthentication() if needed).
      Parameters:
      roles - if subject is any of these roles, allow access
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authenticationOptional

      public GrpcSecurityHandler authenticationOptional()
      If called, authentication failure will not abort request and will continue as anonymous (authentication is not optional by default). Will enable authentication.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authenticate

      public GrpcSecurityHandler authenticate()
      If called, request will go through authentication process - (authentication is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAuthentication

      public GrpcSecurityHandler skipAuthentication()
      If called, request will NOT go through authentication process. Use this when another method implies authentication (such as rolesAllowed(String...)) and yet it is not desired (e.g. everything is handled by authorization).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • customObject

      public GrpcSecurityHandler customObject(Object object)
      Register a custom object for security request(s). This creates a hard dependency on a specific security provider, so use with care.
      Parameters:
      object - An object expected by security provider
      Returns:
      new handler instance with configuration of this instance updated with this method

    • auditEventType

      public GrpcSecurityHandler auditEventType(String eventType)
      Override for event-type, defaults to "grpcRequest".
      Parameters:
      eventType - audit event type to use
      Returns:
      new handler instance with configuration of this instance updated with this method

    • auditMessageFormat

      public GrpcSecurityHandler auditMessageFormat(String messageFormat)
      Override for audit message format, defaults to "%2$s %1$s %4$s %5$s requested by %3$s".
      Parameters:
      messageFormat - audit message format to use
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authorize

      public GrpcSecurityHandler authorize()
      If called, request will go through authorization process - (authorization is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAuthorization

      public GrpcSecurityHandler skipAuthorization()
      Skip authorization for this route. Use this when authorization is implied by another method on this class (e.g. rolesAllowed(String...) and you want to explicitly forbid it.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • audit

      public GrpcSecurityHandler audit()
      Audit this request for any method. Request is audited with event type DEFAULT_AUDIT_EVENT_TYPE.

      By default audit is enabled as follows (based on HTTP methods):

      • GET, HEAD - not audited
      • PUT, POST, DELETE - audited
      • any other method (e.g. custom methods) - audited
      Calling this method will override the default setting and audit any method this handler is registered for.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAudit

      public GrpcSecurityHandler skipAudit()
      Disable auditing of this request. Will override defaults and disable auditing for all methods this handler is registered for.

      By default audit is enabled as follows (based on HTTP methods):

      • GET, HEAD - not audited
      • PUT, POST, DELETE - audited
      • any other method (e.g. custom methods) - audited
      Returns:
      new handler instance with configuration of this instance updated with this method