Module io.helidon.webserver.grpc.security
Package io.helidon.webserver.grpc.security

Class GrpcSecurity

java.lang.Object
io.helidon.webserver.grpc.security.GrpcSecurity
All Implemented Interfaces:
io.grpc.ServerInterceptor, NamedService, NamedService, GrpcServiceDescriptor.Configurer, GrpcServerService
public final class GrpcSecurity extends Object implements io.grpc.ServerInterceptor, GrpcServerService, GrpcServiceDescriptor.Configurer
Integration of security into the gRPC server.

The interceptor creates a SecurityContext for each gRPC call. Use securityDefaults(GrpcSecurityHandler) to set defaults for all calls, and use the handler factory methods on this class to configure security for services or methods.

  • Field Details

    • CONTEXT_ADD_HEADERS

      public static final io.grpc.Context.Key<Map<String,List<String>>> CONTEXT_ADD_HEADERS
      Security can accept additional headers to be added to security request.

    • SECURITY_CONTEXT

      public static final io.grpc.Context.Key<SecurityContext> SECURITY_CONTEXT
      The security context gRPC context key.

    • GRPC_SECURITY_HANDLER

      public static final io.grpc.Context.Key<GrpcSecurityHandler> GRPC_SECURITY_HANDLER
      The default security handler gRPC context key.

    • ABAC_ATTRIBUTE_REMOTE_ADDRESS

      public static final String ABAC_ATTRIBUTE_REMOTE_ADDRESS
      The value used for the key of the security context environment's ABAC request remote address attribute.
      See Also:

    • ABAC_ATTRIBUTE_REMOTE_PORT

      public static final String ABAC_ATTRIBUTE_REMOTE_PORT
      The value used for the key of the security context environment's ABAC request remote port attribute.
      See Also:

    • ABAC_ATTRIBUTE_HEADERS

      public static final String ABAC_ATTRIBUTE_HEADERS
      The value used for the key of the security context environment's ABAC request headers attribute.
      See Also:

    • ABAC_ATTRIBUTE_METHOD

      public static final String ABAC_ATTRIBUTE_METHOD
      The value used for the key of the security context environment's ABAC request method descriptor attribute.
      See Also:

  • Method Details

    • create

      public static GrpcSecurity create(Security security)
      Create a new gRPC security interceptor.
      Parameters:
      security - initialized security
      Returns:
      gRPC security

    • create

      public static GrpcSecurity create(Config config)
      Create a new gRPC security interceptor from configuration.

      The configuration instance may be the root config or a grpc-services.security node. The security instance is created from the root security node.

      Parameters:
      config - configuration
      Returns:
      gRPC security

    • create

      public static GrpcSecurity create(Security security, Config config)
      Create a new gRPC security interceptor from security and configuration.

      The configuration instance may be the root config or a grpc-services.security node.

      Parameters:
      security - initialized security
      config - configuration
      Returns:
      gRPC security

    • secure

      public static GrpcSecurityHandler secure()
      Secure access using authentication and authorization.
      Returns:
      security handler

    • authenticate

      public static GrpcSecurityHandler authenticate()
      Authenticate a request.
      Returns:
      security handler

    • audit

      public static GrpcSecurityHandler audit()
      Audit a request.
      Returns:
      security handler

    • authenticator

      public static GrpcSecurityHandler authenticator(String explicitAuthenticator)
      Use a named authenticator.
      Parameters:
      explicitAuthenticator - authenticator name
      Returns:
      security handler

    • authorizer

      public static GrpcSecurityHandler authorizer(String explicitAuthorizer)
      Use a named authorizer.
      Parameters:
      explicitAuthorizer - authorizer name
      Returns:
      security handler

    • rolesAllowed

      public static GrpcSecurityHandler rolesAllowed(String... roles)
      Require at least one of the specified roles.
      Parameters:
      roles - allowed roles
      Returns:
      security handler

    • allowAnonymous

      public static GrpcSecurityHandler allowAnonymous()
      Authenticate if possible and continue as anonymous on authentication failure.
      Returns:
      security handler

    • authorize

      public static GrpcSecurityHandler authorize()
      Authorize a request.
      Returns:
      security handler

    • enforce

      public static GrpcSecurityHandler enforce()
      Return a default handler to customize.
      Returns:
      security handler

    • securityDefaults

      public GrpcSecurity securityDefaults(GrpcSecurityHandler defaultHandler)
      Create a new gRPC security instance using the provided handler as the least-significant default.
      Parameters:
      defaultHandler - default security handler
      Returns:
      gRPC security

    • type

      public String type()
      Description copied from interface: NamedService
      Type of this implementation, to distinguish instances of same type, with different NamedService.name(). Use for example ConfiguredProvider.configKey() to define the type.
      Specified by:
      type in interface GrpcServerService
      Specified by:
      type in interface NamedService
      Specified by:
      type in interface NamedService
      Returns:
      type of this service

    • interceptors

      public WeightedBag<io.grpc.ServerInterceptor> interceptors()
      Description copied from interface: GrpcServerService
      Insert a list of server interceptors for a gRPC call.
      Specified by:
      interceptors in interface GrpcServerService
      Returns:
      weighted bag of interceptors

    • configure

      public void configure(GrpcServiceDescriptor.Rules rules)
      Description copied from interface: GrpcServiceDescriptor.Configurer
      Apply extra configuration to a GrpcServiceDescriptor.Rules.
      Specified by:
      configure in interface GrpcServiceDescriptor.Configurer
      Parameters:
      rules - the GrpcServiceDescriptor.Rules to configure

    • interceptCall

      public <ReqT, RespT> io.grpc.ServerCall.Listener<ReqT> interceptCall(io.grpc.ServerCall<ReqT,RespT> call, io.grpc.Metadata headers, io.grpc.ServerCallHandler<ReqT,RespT> next)
      Specified by:
      interceptCall in interface io.grpc.ServerInterceptor