use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class ProgrammaticSecurity method execute.
private void execute() {
SecurityContext context = CONTEXT.get();
// check role
if (!context.isUserInRole("theRole")) {
throw new IllegalStateException("User is not in expected role");
}
context.env(context.env().derive().addAttribute("resourceType", "CustomResourceType"));
// check authorization through provider
AuthorizationResponse response = context.atzClientBuilder().buildAndGet();
if (response.status().isSuccess()) {
// ok, process resource
System.out.println("Resource processed");
} else {
System.out.println("You are not permitted to process resource");
}
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AtzProviderSyncTest method testPermitted.
@Test
public void testPermitted() {
SecurityContext context = mock(SecurityContext.class);
when(context.isAuthenticated()).thenReturn(true);
SecurityEnvironment se = SecurityEnvironment.builder().path("/private/some/path").build();
EndpointConfig ep = EndpointConfig.create();
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
when(request.env()).thenReturn(se);
when(request.endpointConfig()).thenReturn(ep);
AtzProviderSync provider = new AtzProviderSync();
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AtzProviderSyncTest method testAbstain.
@Test
public void testAbstain() {
SecurityEnvironment se = SecurityEnvironment.create();
EndpointConfig ep = EndpointConfig.create();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(se);
when(request.endpointConfig()).thenReturn(ep);
AtzProviderSync provider = new AtzProviderSync();
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.ABSTAIN));
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacExplicitResource method process.
/**
* A resource method to demonstrate explicit authorization.
*
* @param context security context (injected)
* @return "fine, sir" string; or a description of authorization failure
*/
@GET
@Authorized(explicit = true)
@AtnProvider.Authentication(value = "user", roles = { "user_role" }, scopes = { "calendar_read", "calendar_edit" })
@AtnProvider.Authentication(value = "service", type = SubjectType.SERVICE, roles = { "service_role" }, scopes = { "calendar_read", "calendar_edit" })
public Response process(@Context SecurityContext context) {
SomeResource res = new SomeResource("user");
AuthorizationResponse atzResponse = context.authorize(res);
if (atzResponse.isPermitted()) {
// do the update
return Response.ok().entity("fine, sir").build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity(atzResponse.description().orElse("Access not granted")).build();
}
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class SecurityFilterCommon method processAuthorization.
protected void processAuthorization(SecurityFilter.FilterContext context, SecurityClientBuilder<AuthorizationResponse> clientBuilder) {
// now fully synchronous
AuthorizationResponse response = clientBuilder.buildAndGet();
SecurityResponse.SecurityStatus responseStatus = response.status();
switch(responseStatus) {
case SUCCESS:
// everything is fine, we can continue with processing
return;
case FAILURE_FINISH:
context.setTraceSuccess(false);
context.setTraceDescription(response.description().orElse(responseStatus.toString()));
context.setTraceThrowable(response.throwable().orElse(null));
context.setShouldFinish(true);
int status = response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode());
abortRequest(context, response, status, Map.of());
return;
case SUCCESS_FINISH:
context.setShouldFinish(true);
status = response.statusCode().orElse(Response.Status.OK.getStatusCode());
abortRequest(context, response, status, Map.of());
return;
case FAILURE:
context.setTraceSuccess(false);
context.setTraceDescription(response.description().orElse(responseStatus.toString()));
context.setTraceThrowable(response.throwable().orElse(null));
context.setShouldFinish(true);
abortRequest(context, response, response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), Map.of());
return;
case ABSTAIN:
context.setTraceSuccess(false);
context.setTraceDescription(response.description().orElse(responseStatus.toString()));
context.setShouldFinish(true);
abortRequest(context, response, response.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), Map.of());
return;
default:
context.setTraceSuccess(false);
context.setTraceDescription(response.description().orElse("UNKNOWN_RESPONSE: " + responseStatus));
context.setShouldFinish(true);
SecurityException throwable = new SecurityException("Invalid SecurityStatus returned: " + responseStatus);
context.setTraceThrowable(throwable);
throw throwable;
}
}
Aggregations