use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.
the class SecurityFilterCommon method doFilter.
protected void doFilter(ContainerRequestContext request, SecurityContext securityContext) {
SecurityTracing tracing = SecurityTracing.get();
tracing.securityContext(securityContext);
SecurityFilter.FilterContext filterContext = initRequestFiltering(request);
if (filterContext.isShouldFinish()) {
// 404
tracing.finish();
return;
}
URI requestUri = request.getUriInfo().getRequestUri();
String query = requestUri.getQuery();
String origRequest;
if ((null == query) || query.isEmpty()) {
origRequest = requestUri.getPath();
} else {
origRequest = requestUri.getPath() + "?" + query;
}
Map<String, List<String>> allHeaders = new HashMap<>(filterContext.getHeaders());
allHeaders.put(Security.HEADER_ORIG_URI, List.of(origRequest));
SecurityEnvironment.Builder envBuilder = SecurityEnvironment.builder(security.serverTime()).path(filterContext.getResourcePath()).targetUri(filterContext.getTargetUri()).method(filterContext.getMethod()).headers(allHeaders).addAttribute("resourceType", filterContext.getResourceName());
// The following two lines are not possible in JAX-RS or Jersey - we would have to touch
// underlying web server's request...
String remoteHost = (String) request.getProperty("io.helidon.jaxrs.remote-host");
Integer remotePort = (Integer) request.getProperty("io.helidon.jaxrs.remote-port");
if (remoteHost != null) {
envBuilder.addAttribute("userIp", remoteHost);
}
if (remotePort != null) {
envBuilder.addAttribute("userPort", remotePort);
}
SecurityEnvironment env = envBuilder.build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(filterContext.getMethodSecurity().getSecurityLevels()).build();
try {
securityContext.env(env);
securityContext.endpointConfig(ec);
request.setProperty(PROP_FILTER_CONTEXT, filterContext);
// context is needed even if authn/authz fails - for auditing
request.setSecurityContext(new JerseySecurityContext(securityContext, filterContext.getMethodSecurity(), "https".equals(filterContext.getTargetUri().getScheme())));
processSecurity(request, filterContext, tracing, securityContext);
} finally {
if (filterContext.isTraceSuccess()) {
tracing.logProceed();
tracing.finish();
} else {
tracing.logDeny();
tracing.error("aborted");
}
}
}
use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.
the class GrpcSecurityHandler method processSecurity.
private <ReqT, RespT> ServerCall.Listener<ReqT> processSecurity(SecurityContext securityContext, ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
SecurityTracing tracing = SecurityTracing.get();
tracing.securityContext(securityContext);
securityContext.endpointConfig(securityContext.endpointConfig().derive().configMap(configMap).customObjects(customObjects.orElse(new ClassToInstanceStore<>())).build());
CompletionStage<Boolean> stage = processAuthentication(call, headers, securityContext, tracing.atnTracing()).thenCompose(atnResult -> {
if (atnResult.proceed) {
// authentication was OK or disabled, we should continue
return processAuthorization(securityContext, tracing.atzTracing());
} else {
// authentication told us to stop processing
return CompletableFuture.completedFuture(AtxResult.STOP);
}
}).thenApply(atzResult -> {
if (atzResult.proceed) {
// authorization was OK, we can continue processing
tracing.logProceed();
tracing.finish();
return true;
} else {
tracing.logDeny();
tracing.finish();
return false;
}
});
ServerCall.Listener<ReqT> listener;
CallWrapper<ReqT, RespT> callWrapper = new CallWrapper<>(call);
try {
boolean proceed = stage.toCompletableFuture().get();
if (proceed) {
listener = next.startCall(callWrapper, headers);
} else {
callWrapper.close(Status.PERMISSION_DENIED, new Metadata());
listener = new EmptyListener<>();
}
} catch (Throwable throwable) {
tracing.error(throwable);
LOGGER.log(Level.SEVERE, "Unexpected exception during security processing", throwable);
callWrapper.close(Status.INTERNAL, new Metadata());
listener = new EmptyListener<>();
}
return new AuditingListener<>(listener, callWrapper, headers, securityContext);
}
use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.
the class SecurityHandler method processSecurity.
private void processSecurity(SecurityContext securityContext, ServerRequest req, ServerResponse res) {
// authentication and authorization
// start security span
SecurityTracing tracing = SecurityTracing.get();
tracing.securityContext(securityContext);
// extract headers
extractQueryParams(securityContext, req);
securityContext.endpointConfig(securityContext.endpointConfig().derive().configMap(configMap).customObjects(customObjects.orElse(new ClassToInstanceStore<>())).build());
Optional<Context> context = Contexts.context();
processAuthentication(res, securityContext, tracing.atnTracing()).thenCompose(atnResult -> {
if (atnResult.proceed) {
// authentication was OK or disabled, we should continue
return processAuthorization(req, res, securityContext, tracing.atzTracing());
} else {
// authentication told us to stop processing
return CompletableFuture.completedFuture(AtxResult.STOP);
}
}).thenAccept(atzResult -> {
if (atzResult.proceed) {
// authorization was OK, we can continue processing
tracing.logProceed();
tracing.finish();
// propagate context information in call to next
context.ifPresentOrElse(c -> Contexts.runInContext(c, (Runnable) req::next), req::next);
} else {
tracing.logDeny();
tracing.finish();
}
}).exceptionally(throwable -> {
tracing.error(throwable);
LOGGER.log(Level.SEVERE, "Unexpected exception during security processing", throwable);
abortRequest(res, null, Http.Status.INTERNAL_SERVER_ERROR_500.code(), Map.of());
return null;
});
// auditing
res.whenSent().thenAccept(sr -> processAudit(req, sr, securityContext));
}
use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.
the class SecurityPreMatchingFilter method filter.
@Override
public void filter(ContainerRequestContext request) {
SecurityTracing tracing = SecurityTracing.get();
// create a new security context
SecurityContext securityContext = security().contextBuilder(Integer.toString(CONTEXT_COUNTER.incrementAndGet(), Character.MAX_RADIX)).tracingSpan(tracing.findParent().orElse(null)).build();
Contexts.context().ifPresent(ctx -> ctx.register(securityContext));
injectionManager.<Ref<SecurityContext>>getInstance((new GenericType<Ref<SecurityContext>>() {
}).getType()).set(securityContext);
if (featureConfig().shouldUsePrematchingAuthentication()) {
doFilter(request, securityContext);
}
}
Aggregations