Module io.helidon.security.integration.webserver
Package io.helidon.security.integration.webserver

Class SecurityHandler

java.lang.Object
io.helidon.security.integration.webserver.SecurityHandler
All Implemented Interfaces:
Handler, BiConsumer<ServerRequest,ServerResponse>
public final class SecurityHandler extends Object implements Handler
Handles security for web server. This handler is registered either by hand on router config, or automatically from configuration when integration done through WebSecurity.create(Config) or WebSecurity.create(Security, Config).

  • Method Details

    • accept

      public void accept(ServerRequest req, ServerResponse res)
      Description copied from interface: Handler
      Handles request and response usually called from the Routing.
      Specified by:
      accept in interface BiConsumer<ServerRequest,ServerResponse>
      Specified by:
      accept in interface Handler
      Parameters:
      req - an HTTP server request.
      res - an HTTP server response.

    • queryParamHandlers

      public List<SecurityHandler.QueryParamHandler> queryParamHandlers()
      List of query parameter handlers.
      Returns:
      list of handlers

    • authenticator

      public SecurityHandler authenticator(String explicitAuthenticator)
      Use a named authenticator (as supported by security - if not defined, default authenticator is used). Will enable authentication.
      Parameters:
      explicitAuthenticator - name of authenticator as configured in Security
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authorizer

      public SecurityHandler authorizer(String explicitAuthorizer)
      Use a named authorizer (as supported by security - if not defined, default authorizer is used, if none defined, all is permitted). Will enable authorization.
      Parameters:
      explicitAuthorizer - name of authorizer as configured in Security
      Returns:
      new handler instance with configuration of this instance updated with this method

    • rolesAllowed

      public SecurityHandler rolesAllowed(String... roles)
      An array of allowed roles for this path - must have a security provider supporting roles (either authentication or authorization provider). This method enables authentication and authorization (you can disable them again by calling skipAuthorization() and skipAuthentication() if needed).
      Parameters:
      roles - if subject is any of these roles, allow access
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authenticationOptional

      public SecurityHandler authenticationOptional()
      If called, authentication failure will not abort request and will continue as anonymous (authentication is not optional by default). Will enable authentication.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authenticate

      public SecurityHandler authenticate()
      If called, request will go through authentication process - (authentication is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAuthentication

      public SecurityHandler skipAuthentication()
      If called, request will NOT go through authentication process. Use this when another method implies authentication (such as rolesAllowed(String...)) and yet it is not desired (e.g. everything is handled by authorization).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • customObject

      public SecurityHandler customObject(Object object)
      Register a custom object for security request(s). This creates a hard dependency on a specific security provider, so use with care.
      Parameters:
      object - An object expected by security provider
      Returns:
      new handler instance with configuration of this instance updated with this method

    • auditEventType

      public SecurityHandler auditEventType(String eventType)
      Override for event-type, defaults to "request".
      Parameters:
      eventType - audit event type to use
      Returns:
      new handler instance with configuration of this instance updated with this method

    • auditMessageFormat

      public SecurityHandler auditMessageFormat(String messageFormat)
      Override for audit message format, defaults to "%3$s %1$s \"%2$s\" %5$s %6$s requested by %4$s".
      Parameters:
      messageFormat - audit message format to use
      Returns:
      new handler instance with configuration of this instance updated with this method

    • authorize

      public SecurityHandler authorize()
      If called, request will go through authorization process - (authorization is disabled by default - it may be enabled as a side effect of other methods, such as rolesAllowed(String...).
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAuthorization

      public SecurityHandler skipAuthorization()
      Skip authorization for this route. Use this when authorization is implied by another method on this class (e.g. rolesAllowed(String...) and you want to explicitly forbid it.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • audit

      public SecurityHandler audit()
      Audit this request for any method. Request is audited with event type DEFAULT_AUDIT_EVENT_TYPE.

      By default audit is enabled as follows (based on HTTP methods):

      • GET, HEAD - not audited
      • PUT, POST, DELETE - audited
      • any other method (e.g. custom methods) - audited
      Calling this method will override the default setting and audit any method this handler is registered for.
      Returns:
      new handler instance with configuration of this instance updated with this method

    • skipAudit

      public SecurityHandler skipAudit()
      Disable auditing of this request. Will override defaults and disable auditing for all methods this handler is registered for.

      By default audit is enabled as follows (based on HTTP methods):

      • GET, HEAD - not audited
      • PUT, POST, DELETE - audited
      • any other method (e.g. custom methods) - audited
      Returns:
      new handler instance with configuration of this instance updated with this method

    • queryParam

      public SecurityHandler queryParam(String queryParamName, TokenHandler headerHandler)
      Add a query parameter extraction configuration.
      Parameters:
      queryParamName - name of a query parameter to extract
      headerHandler - handler to extract it and store it in a header field
      Returns:
      new handler instance