WebServer
To integrate reactive web server, add the following dependency to your project’s pom.xml file:
<dependency>
<groupId>io.helidon.security.integration</groupId>
<artifactId>helidon-security-integration-webserver</artifactId>
</dependency>Configure Security with WebServer
There are two steps to configure security with WebServer:
- Create a security instance and register it with the server.
- Protect server routes with optional security features.
// web server's Routing
Routing.builder()
// This is step 1 - register security instance with web server processing
// security - instance of security either from config or from a builder
// securityDefaults - default enforcement for each route that has a security definition
.register(WebSecurity.create(security).securityDefaults(WebSecurity.authenticate()))
// this is step 2 - protect a route
// protect this route with authentication (from defaults) and role "user"
.get("/service1", WebSecurity.rolesAllowed("user"), (req, res) -> {
processService1Request(req, res);
})
.build();Routing.builder()
// helper method to load both security and web server security from configuration
.register(WebSecurity.create(config))
// continue with web server route configuration
.build();# This may change in the future - to align with web server configuration, once it is supported
security.web-server:
# Configuration of integration with web server
defaults:
# defaults for paths configured in the section below
authenticate: true
paths:
- path: "/service1[/{*}]"
methods: ["get"]
roles-allowed: ["user"]
# "authenticate: true" is implicit, as it is configured in defaults aboveNote: defaults section in configuration is related to paths on WebServer configured below in paths section, it will not apply to any other path on the webserver.
Protecting Helidon Endpoints
There are several endpoints provided by Helidon services, such as:
Health endpoint (
/health)Metrics endpoint (
/metrics)OpenAPI endpoint (
/openapi)Configured static content (can use any path configured)
These endpoints are all implemented using Helidon reactive WebServer and as such can be protected only through Security integration with WebServer.
The following section describes configuration of such protection using configuration files, in this case using a yaml file, as it provides a tree structure.
Configuring Endpoint Protection
The configuration is usually placed under security.web-server (this can be customized in Helidon SE).
The following example shows how to configure the application.yaml using customized setting:
security:
providers:
- abac:
- provider-key:
web-server:
defaults:
authenticate: true
paths:
- path: "/metrics[/{*}]"
roles-allowed: "admin"
- path: "/health[/{*}]"
roles-allowed: "monitor"
- path: "/openapi[/{*}]"
abac:
scopes: ["openapi"]
- path: "/static[/{*}]"
roles-allowed: ["user", "monitor"]- Attribute based access control provider that checks roles and scopes
- The provider(s) used in your application, such as
oidc - Default configuration for paths configured below in
pathssection - Protection of
/metricsand all nested paths withadminrole required - Protection of
/healthand all nested paths withmonitorrole required - Protection of
/openapiand all nested paths withopenapiscope required - Protection of static content configured on
/staticpath with eitheruserormonitorrole required
If you need to use a properties file, such as microprofile-config.properties, you can convert the file by using index based numbers for arrays, such as:
security.providers.0.abac=
security.providers.1.provider-key.optional=false
security.web-server.defaults.authenticate=true
security.web-server.paths.0.path=/metrics[/{*}]
security.web-server.paths.0.roles-allowed=admin
security.web-server.paths.3.path=/static[/{*}]
security.web-server.paths.3.roles-allowed=user,monitorJersey
Jersey (JAX-RS implementation) can be configured for both inbound and outbound security.
<dependency>
<groupId>io.helidon.security.integration</groupId>
<artifactId>helidon-security-integration-jersey</artifactId>
</dependency>Inbound security
ResourceConfig resourceConfig = new ResourceConfig()
// register JAX-RS resource
.register(JaxRsResource.class)
// integrate security
.register(new io.helidon.security.jersey.SecurityFeature(security));Secure a Resource Method
The current approach does not have a configuration option so security must be configured through annotations. Security currently supports @Authenticated and @Authorized. When a resource is annotated with one of these annotations (application class, resource class, or resource method), security will be triggered.
// this is sufficient for security to be triggered, see javadoc for further details
@Authenticated
@Path("/{name}")
@GET
@Produces(MediaType.TEXT_PLAIN)
// due to Jersey approach to path matching, we need two methods to match both the "root" and "root" + subpaths
public String getHelloName(@PathParam("name") String name) {
return "Hello " + name + ", your current subject: " + securityContext.getSubject();
}Access Context
// inject io.helidon.security.SecurityContext
@Context
private SecurityContext securityContext;Outbound Security
Outbound security is automatically registered with Jersey client. The provider must have outbound security configured for identity to be propagated.
<dependency>
<groupId>io.helidon.security.integration</groupId>
<artifactId>helidon-security-integration-jersey-client</artifactId>
</dependency>Client client = ClientBuilder.newClient();
try {
// call the resource, will propagate identity as configured in Security
String response = client.target("https://www.google.com")
.request()
// configure the security context for this request (as client and targets may be re-used)
.property(ClientSecurity.PROPERTY_CONTEXT, securityContext)
.get(String.class);
} finally {
client.close();
}