/** * Create a new security context with the defined id and all defaults. * * @param id id of this context * @return new security context */ public SecurityContext createContext(String id) { return contextBuilder(id).build(); }
/** * Return true if current user is in the specified role. * Only providers that support role based access should implement this method. * For others it checks the subject for the presence of {@link Role} grant of the specified name. * * This method is defined to conform with one of the most commonly spread authorization concept, as it is required * for frameworks such as Servlet and JAX-RS. * * @param subject current subject * @param role role name * @return true if current user is in this role */ default boolean isUserInRole(Subject subject, String role) { return Security.getRoles(subject).contains(role); } }
/** * Creates new instance based on configuration values. * <p> * * @param config Config instance located on security configuration ("providers" is an expected child) * @return new instance. */ public static Builder builder(Config config) { Objects.requireNonNull(config, "Configuration must not be null"); return builder() .config(config); }
private void registerContext(ServerRequest req, ServerResponse res) { Map<String, List<String>> allHeaders = new HashMap<>(req.headers().toMap()); Optional<Map> newHeaders = req.context().get(CONTEXT_ADD_HEADERS, Map.class); newHeaders.ifPresent(allHeaders::putAll); //make sure there is no context if (!req.context().get(SecurityContext.class).isPresent()) { SecurityEnvironment env = security.environmentBuilder() .targetUri(req.uri()) .path(req.path().toString()) .method(req.method().name()) .addAttribute("userIp", req.remoteAddress()) .addAttribute("userPort", req.remotePort()) .transport(req.isSecure() ? "https" : "http") .headers(allHeaders) .build(); EndpointConfig ec = EndpointConfig.builder() .build(); SecurityContext context = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())) .tracingSpan(req.spanContext()) .env(env) .endpointConfig(ec) .build(); req.context().register(context); req.context().register(defaultHandler); } req.next(); }
@Override public void filter(ContainerRequestContext request) { boolean closeParentSpan = false; SpanContext requestSpanContext = parentSpanContextProvider.get(); if (null == requestSpanContext) { closeParentSpan = true; Span requestSpan = security().tracer().buildSpan("security-parent").start(); request.setProperty(PROP_PARENT_SPAN, requestSpan); requestSpanContext = requestSpan.context(); } request.setProperty(PROP_CLOSE_PARENT_SPAN, closeParentSpan); // create a new security context SecurityContext securityContext = security() .contextBuilder(Integer.toString(CONTEXT_COUNTER.incrementAndGet(), Character.MAX_RADIX)) .tracingSpan(requestSpanContext) .executorService(executorService) .build(); injectionManager.<Ref<SecurityContext>>getInstance((new GenericType<Ref<SecurityContext>>() { }).getType()) .set(securityContext); if (featureConfig().shouldUsePrematchingAuthentication()) { doFilter(request, securityContext); } }
security = Security.create(config.get("security")); } else { LOGGER.info( + "(requires providers configuration at key security.providers). Security will not have any valid " + "provider."); security = Security.builder() .addProvider(AbacProvider.create()) .addAuthenticationProvider(providerRequest -> CompletableFuture
/** * Create a consumer of routing config to be {@link Routing.Builder#register(Service...) registered} with * web server routing to process security requests. * This method configures security and web server integration from a config instance * * @param config Config instance to load security and web server integration from configuration * @return routing config consumer */ public static WebSecurity create(Config config) { Security security = Security.create(config); return create(security, config); }
@Override public void audit(AuditEvent event) { security.audit(tracingId, event); }
/** * Builds configured Security instance. * * @return built instance. */ @Override public Security build() { if (allProviders.isEmpty()) { LOGGER.warning("Security component is NOT configured with any security providers."); } if (auditProviders.isEmpty()) { DefaultAuditProvider provider = config.as(DefaultAuditProvider::create).get(); addAuditProvider(provider); } if (atnProviders.isEmpty()) { addAuthenticationProvider(context -> CompletableFuture .completedFuture(AuthenticationResponse.success(SecurityContext.ANONYMOUS)), "default"); } if (atzProviders.isEmpty()) { addAuthorizationProvider(context -> CompletableFuture .completedFuture(AuthorizationResponse.permit()), "default"); } return new Security(this); }
private void registerContext(ServerRequest req, ServerResponse res) { Map<String, List<String>> allHeaders = new HashMap<>(req.headers().toMap()); Optional<Map> newHeaders = req.context().get(CONTEXT_ADD_HEADERS, Map.class); newHeaders.ifPresent(allHeaders::putAll); //make sure there is no context if (!req.context().get(SecurityContext.class).isPresent()) { SecurityEnvironment env = security.environmentBuilder() .targetUri(req.uri()) .path(req.path().toString()) .method(req.method().name()) .addAttribute("userIp", req.remoteAddress()) .addAttribute("userPort", req.remotePort()) .transport(req.isSecure() ? "https" : "http") .headers(allHeaders) .build(); EndpointConfig ec = EndpointConfig.builder() .build(); SecurityContext context = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())) .tracingSpan(req.spanContext()) .env(env) .endpointConfig(ec) .build(); req.context().register(context); req.context().register(defaultHandler); } req.next(); }
@Override public void filter(ContainerRequestContext request) { boolean closeParentSpan = false; SpanContext requestSpanContext = parentSpanContextProvider.get(); if (null == requestSpanContext) { closeParentSpan = true; Span requestSpan = security().tracer().buildSpan("security-parent").start(); request.setProperty(PROP_PARENT_SPAN, requestSpan); requestSpanContext = requestSpan.context(); } request.setProperty(PROP_CLOSE_PARENT_SPAN, closeParentSpan); // create a new security context SecurityContext securityContext = security() .contextBuilder(Integer.toString(CONTEXT_COUNTER.incrementAndGet(), Character.MAX_RADIX)) .tracingSpan(requestSpanContext) .executorService(executorService) .build(); injectionManager.<Ref<SecurityContext>>getInstance((new GenericType<Ref<SecurityContext>>() { }).getType()) .set(securityContext); if (featureConfig().shouldUsePrematchingAuthentication()) { doFilter(request, securityContext); } }
security = Security.create(config.get("security")); } else { LOGGER.info( + "(requires providers configuration at key security.providers). Security will not have any valid " + "provider."); security = Security.builder() .addProvider(AbacProvider.create()) .addAuthenticationProvider(providerRequest -> CompletableFuture
audit(instanceUuid, SecurityAuditEvent.info( AuditEvent.SECURITY_TYPE_PREFIX + ".configure", "Security initialized. Providers: audit: \"%s\"; authn: \"%s\"; authz: \"%s\"; identity propagation: \"%s\";")
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
/** * Creates new instance based on configuration values. * <p> * * @param config Config instance located on security configuration ("providers" is an expected child) * @return new instance. */ public static Security create(Config config) { Objects.requireNonNull(config, "Configuration must not be null"); return builder() .config(config) .build(); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }