public interface Security
This class is used to "bootstrap" security and integrate it with other frameworks; runtime
main entry point is
SecurityContext
.
It is possible to configure it manually using builder()
or use create(Config)
to initialize using
configuration support.
Security is constructed from various providers SecurityProvider
and
a selection policy ProviderSelectionPolicy
to choose the right one(s) to
secure a request.
- See Also:
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic final class
Builder pattern class for helping createSecurity
in a convenient way. -
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Integration should add a special header to each request. -
Method Summary
Modifier and TypeMethodDescriptionvoid
audit
(String tracingId, AuditEvent event) Audit an event.static Security.Builder
builder()
CreatesSecurity.Builder
class.static Security.Builder
Creates new instance based on configuration values.The configuration of security.contextBuilder
(String id) Create a new security context builder to build and instance.static Security
Creates new instance based on configuration values.createContext
(String id) Create a new security context with the defined id and all defaults.Collection<Class<? extends Annotation>>
Get the complete set of annotations expected by (all) security providers configured.Single<byte[]>
Decrypt cipher text.Create a digest for the provided raw bytes.Create a digest for the provided bytes.boolean
enabled()
Whether security is enabled or disabled.Encrypt bytes.Security environment builder, to be used to create environment for evaluating security in integration components.Executor service to handle possible blocking tasks in security.Get a set of roles the subject has, based onRole
.Configured provider selection policy.Optional<? extends AuthenticationProvider>
resolveAtnProvider
(String providerName) Find an authentication provider by name, or use the default if the name is not available.resolveAtzProvider
(String providerName) Find an authorization provider by name, or use the default if the name is not available.List<? extends OutboundSecurityProvider>
resolveOutboundProvider
(String providerName) Find outbound provider(s) by name, or use the default if the name is not available.Get a secret.Get a secret.Time that is decisive for the server.Subject mapping provider used to map subject(s) authenticated byAuthenticationProvider
to a newSubject
, e.g.tracer()
Returns a tracer that can be used to construct new spans.verifyDigest
(String configurationName, byte[] bytesToDigest, String digest) Verify a digest.verifyDigest
(String configurationName, byte[] bytesToDigest, String digest, boolean preHashed) Verify a digest.
-
Field Details
-
HEADER_ORIG_URI
Integration should add a special header to each request. The value will contain the original URI as was issued - for HTTP this is the relative URI including query parameters.- See Also:
-
-
Method Details
-
create
Creates new instance based on configuration values.- Parameters:
config
- Config instance located on security configuration ("providers" is an expected child)- Returns:
- new instance.
-
builder
Creates new instance based on configuration values.- Parameters:
config
- Config instance located on security configuration ("providers" is an expected child)- Returns:
- new instance.
-
builder
CreatesSecurity.Builder
class.- Returns:
- builder
-
getRoles
Get a set of roles the subject has, based onRole
. This is the set of roles as assumed by authentication provider. Authorization providers may use a different set of roles (and context used authorization provider to checkSecurityContext.isUserInRole(String)
).- Parameters:
subject
- Subject of a user/service- Returns:
- set of roles the user/service is in
-
serverTime
SecurityTime serverTime()Time that is decisive for the server. This usually returns accessor to current time in a specified time zone.SecurityTime
may be configured to a fixed point in time, intended for testing purposes.- Returns:
- time to access current time for security decisions
-
contextBuilder
Create a new security context builder to build and instance. This is expected to be invoked for each request/response exchange that may be authenticated, authorized etc. Context holds the security subject... Once your processing is done and you no longer want to keep security context, callSecurityContext.logout()
to clear subject and principals.- Parameters:
id
- to use when logging, auditing etc. (e.g. some kind of tracing id). If none or empty, security instance UUID will be used (at least to map all audit records for a single instance of security component). If defined, security will prefix this id with security instance UUID- Returns:
- new fluent API builder to create a
SecurityContext
-
createContext
Create a new security context with the defined id and all defaults.- Parameters:
id
- id of this context- Returns:
- new security context
-
tracer
Tracer tracer()Returns a tracer that can be used to construct new spans.- Returns:
Tracer
, may be a no-op tracer if tracing is disabled
-
customAnnotations
Collection<Class<? extends Annotation>> customAnnotations()Get the complete set of annotations expected by (all) security providers configured. This is to be used for integration with other frameworks that support annotations.- Returns:
- Collection of annotations expected by configured providers.
-
configFor
The configuration of security.This method will NOT return security internal configuration:
- provider-policy
- providers
- environment
- Parameters:
child
- the name of the child node to retrieve from config- Returns:
- a child node of security configuration
- Throws:
IllegalArgumentException
- in case you request child in one of the forbidden trees
-
encrypt
Encrypt bytes. This method handles the bytes in memory, and as such is not suitable for processing of large amounts of data.- Parameters:
configurationName
- name of the configuration of this encryptionbytesToEncrypt
- bytes to encrypt- Returns:
- future with cipher text
-
decrypt
Decrypt cipher text. This method handles the bytes in memory, and as such is not suitable for processing of large amounts of data.- Parameters:
configurationName
- name of the configuration of this encryptioncipherText
- cipher text to decrypt- Returns:
- future with decrypted bytes
-
digest
Create a digest for the provided bytes.- Parameters:
configurationName
- name of the digest configurationbytesToDigest
- data to digestpreHashed
- whether the data is already a hash- Returns:
- future with digest (such as signature or HMAC)
-
digest
Create a digest for the provided raw bytes.- Parameters:
configurationName
- name of the digest configurationbytesToDigest
- data to digest- Returns:
- future with digest (such as signature or HMAC)
-
verifyDigest
Single<Boolean> verifyDigest(String configurationName, byte[] bytesToDigest, String digest, boolean preHashed) Verify a digest.- Parameters:
configurationName
- name of the digest configurationbytesToDigest
- data to verify a digest fordigest
- digest as provided by a third party (or another component)preHashed
- whether the data is already a hash- Returns:
- future with result of verification (
true
means the digest is valid)
-
verifyDigest
Verify a digest.- Parameters:
configurationName
- name of the digest configurationbytesToDigest
- raw data to verify a digest fordigest
- digest as provided by a third party (or another component)- Returns:
- future with result of verification (
true
means the digest is valid)
-
secret
Get a secret.- Parameters:
configurationName
- name of the secret configuration- Returns:
- future with the secret value, or error if the secret is not configured
-
secret
Get a secret.- Parameters:
configurationName
- name of the secret configurationdefaultValue
- default value to use if secret not configured- Returns:
- future with the secret value
-
environmentBuilder
SecurityEnvironment.Builder environmentBuilder()Security environment builder, to be used to create environment for evaluating security in integration components.- Returns:
- builder to build
SecurityEnvironment
-
subjectMapper
Optional<SubjectMappingProvider> subjectMapper()Subject mapping provider used to map subject(s) authenticated byAuthenticationProvider
to a newSubject
, e.g. to add roles.- Returns:
- subject mapping provider to use or empty if none defined
-
enabled
boolean enabled()Whether security is enabled or disabled. Disabled security does not check authorization and authenticates all users asSecurityContext.ANONYMOUS
.- Returns:
true
if security is enabled
-
audit
Audit an event.- Parameters:
tracingId
- id to map this audit event to a requestevent
- event to audit
-
providerSelectionPolicy
ProviderSelectionPolicy providerSelectionPolicy()Configured provider selection policy.- Returns:
- provider selection policy
-
executorService
Supplier<ExecutorService> executorService()Executor service to handle possible blocking tasks in security.- Returns:
- executor service supplier (may be backed by a lazy implementation)
-
resolveAtnProvider
Find an authentication provider by name, or use the default if the name is not available.- Parameters:
providerName
- name of the provider- Returns:
- authentication provider if the named one is configured, or a default one is configured, otherwise empty
-
resolveAtzProvider
Find an authorization provider by name, or use the default if the name is not available.- Parameters:
providerName
- name of the provider- Returns:
- authorization provider if the named one is configured, or a default one is configured, otherwise empty
-
resolveOutboundProvider
Find outbound provider(s) by name, or use the default if the name is not available.- Parameters:
providerName
- name of the provider- Returns:
- outbound providers to use
-