jlengrand/helidon
1
0
Fork 0
mirror of https://github.com/jlengrand/helidon.git synced 2026-03-10 08:21:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable automatic propagation from security providers (#2357)

Browse Source 
* Security providers no long automatically propagate.
* Updated security provider documentation

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>
This commit is contained in:
Tomas Langer
2020-09-30 18:18:45 +02:00
committed by GitHub
parent 6881ec8787
commit 7f1a1ad865
47 changed files with 2229 additions and 916 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/security/jersey/src/main/java/io/helidon/security/examples/jersey/JerseyBuilderMain.java
View File

@@ -29,6 +29,7 @@ import javax.ws.rs.ext.ExceptionMapper;
import io.helidon.security.Security;
import io.helidon.security.integration.jersey.SecurityFeature;
import io.helidon.security.providers.abac.AbacProvider;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
import io.helidon.security.providers.httpauth.SecureUserStore;
import io.helidon.webserver.Routing;
@@ -84,7 +85,8 @@ public final class JerseyBuilderMain {
// add the security provider to use
.addProvider(HttpBasicAuthProvider.builder()
.realm("helidon")
.userStore(users()))
.userStore(users())
.addOutboundTarget(OutboundTarget.builder("propagate-all").build()))
.addProvider(AbacProvider.create())
.build());
}

4
examples/security/jersey/src/main/resources/application.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (c) 2016, 2019 Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2016, 2020 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -37,5 +37,7 @@ security:
- login: "john"
password: "${CLEAR=password}"
roles: []
outbound:
- name: "propagate-to-all-targets"
# Security provider - ABAC (for role based authorization)
- abac:

2
examples/security/outbound-override/src/main/resources/client-service-jwt.yaml
View File

@@ -49,6 +49,8 @@ security:
outbound-token:
header: "Authorization"
format: "bearer %1$s"
outbound:
- name: "propagate-all"
web-server:
defaults:
authenticate: true

4
examples/security/outbound-override/src/main/resources/client-service.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2018, 2020 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +27,8 @@ security:
- login: "jill"
password: "anotherPassword"
roles: ["user"]
outbound:
- name: "propagate-all"
web-server:
defaults:
authenticate: true

3
examples/security/webserver-signatures/src/main/java/io/helidon/security/examples/signatures/SignatureExampleBuilderMain.java
View File

@@ -196,7 +196,8 @@ public class SignatureExampleBuilderMain {
.build())
.addProvider(HttpBasicAuthProvider.builder()
.realm("mic")
.userStore(users()),
.userStore(users())
.addOutboundTarget(OutboundTarget.builder("propagate-all").build()),
"basic-auth")
.addProvider(HttpSignProvider.builder()
.outbound(OutboundConfig.builder()

4
examples/security/webserver-signatures/src/main/java/io/helidon/security/examples/signatures/SignatureExampleConfigMain.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,7 +70,7 @@ public class SignatureExampleConfigMain {
}
private static Routing routing2() {
Config config = config("service2.conf");
Config config = config("service2.yaml");
// build routing (security is loaded from config)
return Routing.builder()
// helper method to load both security and web server security from configuration

25
examples/security/webserver-signatures/src/main/resources/service1.yaml
View File

@@ -1,5 +1,5 @@
#
# Copyright (c) 2016, 2018 Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2016, 2020 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -42,6 +42,8 @@ security:
- login: "john"
password: "${CLEAR=password}"
roles: []
outbound:
- name: "propagate-all"
# only configured for outbound security
- http-signatures:
outbound:
@@ -57,16 +59,17 @@ security:
signature:
key-id: "service1-rsa"
private-key:
# path to keystore
keystore-path: "src/main/resources/keystore.p12"
# Keystore type
# PKCS12, JSK or RSA (not really a keystore, but directly the linux style private key unencrypted)
# defaults to jdk default
keystore-type: "PKCS12"
# password of the keystore
keystore-passphrase: "password"
# alias of the key to sign request
key-alias: "myPrivateKey"
keystore:
# path to keystore
resource.path: "src/main/resources/keystore.p12"
# Keystore type
# PKCS12, JSK or RSA (not really a keystore, but directly the linux style private key unencrypted)
# defaults to jdk default
type: "PKCS12"
# password of the keystore
passphrase: "password"
# alias of the key to sign request
key.alias: "myPrivateKey"
web-server:
# Configuration of integration with web server
defaults:

118
examples/security/webserver-signatures/src/main/resources/service2.conf
View File

@@ -1,118 +0,0 @@
#
# Copyright (c) 2016, 2018 Oracle and/or its affiliates. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
security {
config {
# Configuration of secured config (encryption of passwords in property files)
# Set to true for production - if set to true, clear text passwords will cause failure
require-encryption = false
}
# composite provider policy
provider-policy {
type = "COMPOSITE"
authentication: [
{
# first resolve signature, then resolve basic-auth
name = "http-signatures"
flag = "OPTIONAL"
},
{
# must be present
name = "http-basic-auth"
}
]
}
providers: [
{
# Signatures
http-signatures {
# only inbound configured, no outbound calls
inbound {
keys: [
{
key-id = "service1-hmac"
principal-name = "Service1 - HMAC signature"
hmac.secret = "${CLEAR=somePasswordForHmacShouldBeEncrypted}"
},
{
key-id = "service1-rsa"
principal-name = "Service1 - RSA signature"
public-key {
# path to keystore
keystore-path = "src/main/resources/keystore.p12"
# Keystore type
# PKCS12 or JKS
# defaults to jdk default
# keystore-type = "PKCS12"
# password of the keystore
keystore-passphrase = "password"
# alias of the certificate to get public key from
cert-alias = "service_cert"
}
}
]
}
}
}
# Security provider - basic authentication (supports roles)
{
http-basic-auth {
realm = "mic"
users: [
{
login = "jack"
password = "${CLEAR=password}"
roles = ["user", "admin"]
},
{
login = "jill"
# master password is "jungle", password is "password"
password = "${CLEAR=password}"
roles = ["user"]
},
{
login = "john"
password = "${CLEAR=password}"
roles = []
}
]
}
},
]
web-server {
# Configuration of integration with web server
defaults {
authenticate = true
}
paths: [
{
path = "/service2"
roles-allowed = ["user"]
},
{
path = "/service2-rsa"
roles-allowed = ["user"]
}
]
}
}

75
examples/security/webserver-signatures/src/main/resources/service2.yaml Normal file
View File

@@ -0,0 +1,75 @@
#
# Copyright (c) 2016, 2020 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
security:
config:
# Configuration of secured config (encryption of passwords in property files)
# Set to true for production - if set to true, clear text passwords will cause failure
require-encryption: false
# composite provider policy
provider-policy:
type: "COMPOSITE"
authentication:
# first resolve signature, then resolve basic-auth
- name: "http-signatures"
flag: "OPTIONAL"
# must be present
- name: "http-basic-auth"
providers:
# Signatures
- http-signatures:
# only inbound configured, no outbound calls
inbound:
keys:
- key-id: "service1-hmac"
principal-name: "Service1 - HMAC signature"
hmac.secret: "${CLEAR=somePasswordForHmacShouldBeEncrypted}"
- key-id: "service1-rsa"
principal-name: "Service1 - RSA signature"
public-key:
keystore:
# path to keystore
resource.path: "src/main/resources/keystore.p12"
# Keystore type
# PKCS12 or JKS
# defaults to jdk default
# keystore-type: "PKCS12"
# password of the keystore
passphrase: "password"
# alias of the certificate to get public key from
cert.alias: "service_cert"
# Security provider - basic authentication (supports roles)
- http-basic-auth:
realm: "helidon"
users:
- login: "jack"
password: "${CLEAR=password}"
roles: [ "user", "admin" ]
- login: "jill"
password: "${CLEAR=password}"
roles: [ "user" ]
- login: "john"
password: "${CLEAR=password}"
roles: []
web-server:
# Configuration of integration with web server
defaults:
authenticate: true
paths:
- path: "/service2"
roles-allowed: [ "user" ]
- path: "/service2-rsa"
roles-allowed: [ "user" ]