Search in sources :

Example 1 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class ProgrammaticSecurity method execute.

private void execute() {
    SecurityContext context = CONTEXT.get();
    // check role
    if (!context.isUserInRole("theRole")) {
        throw new IllegalStateException("User is not in expected role");
    }
    context.env(context.env().derive().addAttribute("resourceType", "CustomResourceType"));
    // check authorization through provider
    AuthorizationResponse response = context.atzClientBuilder().buildAndGet();
    if (response.status().isSuccess()) {
        // ok, process resource
        System.out.println("Resource processed");
    } else {
        System.out.println("You are not permitted to process resource");
    }
}
Also used : SecurityContext(io.helidon.security.SecurityContext) AuthorizationResponse(io.helidon.security.AuthorizationResponse)

Example 2 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AtzProviderSyncTest method testPermitted.

@Test
public void testPermitted() {
    SecurityContext context = mock(SecurityContext.class);
    when(context.isAuthenticated()).thenReturn(true);
    SecurityEnvironment se = SecurityEnvironment.builder().path("/private/some/path").build();
    EndpointConfig ep = EndpointConfig.create();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    when(request.env()).thenReturn(se);
    when(request.endpointConfig()).thenReturn(ep);
    AtzProviderSync provider = new AtzProviderSync();
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 3 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AtzProviderSyncTest method testAbstain.

@Test
public void testAbstain() {
    SecurityEnvironment se = SecurityEnvironment.create();
    EndpointConfig ep = EndpointConfig.create();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.env()).thenReturn(se);
    when(request.endpointConfig()).thenReturn(ep);
    AtzProviderSync provider = new AtzProviderSync();
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.ABSTAIN));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 4 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacExplicitResource method process.

/**
 * A resource method to demonstrate explicit authorization.
 *
 * @param context  security context (injected)
 * @return "fine, sir" string; or a description of authorization failure
 */
@GET
@Authorized(explicit = true)
@AtnProvider.Authentication(value = "user", roles = { "user_role" }, scopes = { "calendar_read", "calendar_edit" })
@AtnProvider.Authentication(value = "service", type = SubjectType.SERVICE, roles = { "service_role" }, scopes = { "calendar_read", "calendar_edit" })
public Response process(@Context SecurityContext context) {
    SomeResource res = new SomeResource("user");
    AuthorizationResponse atzResponse = context.authorize(res);
    if (atzResponse.isPermitted()) {
        // do the update
        return Response.ok().entity("fine, sir").build();
    } else {
        return Response.status(Response.Status.FORBIDDEN).entity(atzResponse.description().orElse("Access not granted")).build();
    }
}
Also used : AuthorizationResponse(io.helidon.security.AuthorizationResponse) Authorized(io.helidon.security.annotations.Authorized) GET(jakarta.ws.rs.GET)

Example 5 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class SecurityFilterCommon method processAuthorization.

protected void processAuthorization(SecurityFilter.FilterContext context, SecurityClientBuilder<AuthorizationResponse> clientBuilder) {
    // now fully synchronous
    AuthorizationResponse response = clientBuilder.buildAndGet();
    SecurityResponse.SecurityStatus responseStatus = response.status();
    switch(responseStatus) {
        case SUCCESS:
            // everything is fine, we can continue with processing
            return;
        case FAILURE_FINISH:
            context.setTraceSuccess(false);
            context.setTraceDescription(response.description().orElse(responseStatus.toString()));
            context.setTraceThrowable(response.throwable().orElse(null));
            context.setShouldFinish(true);
            int status = response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode());
            abortRequest(context, response, status, Map.of());
            return;
        case SUCCESS_FINISH:
            context.setShouldFinish(true);
            status = response.statusCode().orElse(Response.Status.OK.getStatusCode());
            abortRequest(context, response, status, Map.of());
            return;
        case FAILURE:
            context.setTraceSuccess(false);
            context.setTraceDescription(response.description().orElse(responseStatus.toString()));
            context.setTraceThrowable(response.throwable().orElse(null));
            context.setShouldFinish(true);
            abortRequest(context, response, response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), Map.of());
            return;
        case ABSTAIN:
            context.setTraceSuccess(false);
            context.setTraceDescription(response.description().orElse(responseStatus.toString()));
            context.setShouldFinish(true);
            abortRequest(context, response, response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), Map.of());
            return;
        default:
            context.setTraceSuccess(false);
            context.setTraceDescription(response.description().orElse("UNKNOWN_RESPONSE: " + responseStatus));
            context.setShouldFinish(true);
            SecurityException throwable = new SecurityException("Invalid SecurityStatus returned: " + responseStatus);
            context.setTraceThrowable(throwable);
            throw throwable;
    }
}
Also used : SecurityResponse(io.helidon.security.SecurityResponse) AuthorizationResponse(io.helidon.security.AuthorizationResponse)

Aggregations

AuthorizationResponse (io.helidon.security.AuthorizationResponse)16 Test (org.junit.jupiter.api.Test)12 EndpointConfig (io.helidon.security.EndpointConfig)9 ProviderRequest (io.helidon.security.ProviderRequest)9 SecurityContext (io.helidon.security.SecurityContext)7 SecurityEnvironment (io.helidon.security.SecurityEnvironment)5 SecurityLevel (io.helidon.security.SecurityLevel)5 SecurityResponse (io.helidon.security.SecurityResponse)4 Security (io.helidon.security.Security)3 AuthenticationResponse (io.helidon.security.AuthenticationResponse)2 RolesAllowed (jakarta.annotation.security.RolesAllowed)2 WebApplicationException (jakarta.ws.rs.WebApplicationException)2 Response (jakarta.ws.rs.core.Response)2 List (java.util.List)2 Set (java.util.Set)2 Collectors (java.util.stream.Collectors)2 ContainerRequest (org.glassfish.jersey.server.ContainerRequest)2 CoreMatchers.is (org.hamcrest.CoreMatchers.is)2 MatcherAssert.assertThat (org.hamcrest.MatcherAssert.assertThat)2 Errors (io.helidon.common.Errors)1