• Home
• io.helidon
• helidon-docs
• 4.0.11
• source code
• io_helidon_security_providers_httpsign_HttpSignProvider.adoc

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

config.io_helidon_security_providers_httpsign_HttpSignProvider.adoc Maven / Gradle / Ivy

///////////////////////////////////////////////////////////////////////////////

    Copyright (c) 2023, 2024 Oracle and/or its affiliates.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

///////////////////////////////////////////////////////////////////////////////

ifndef::rootdir[:rootdir: {docdir}/..]
:description: Configuration of io.helidon.security.providers.httpsign.HttpSignProvider
:keywords: helidon, config, io.helidon.security.providers.httpsign.HttpSignProvider
:basic-table-intro: The table below lists the configuration keys that configure io.helidon.security.providers.httpsign.HttpSignProvider
include::{rootdir}/includes/attributes.adoc[]

= HttpSignProvider (security.providers.httpsign) Configuration

// tag::config[]

HTTP header signature provider.


Type: link:{javadoc-base-url}/io.helidon.security.providers.httpsign/io/helidon/security/providers/httpsign/HttpSignProvider.html[io.helidon.security.providers.httpsign.HttpSignProvider]


[source,text]
.Config key
----
http-signatures
----


This type provides the following service implementations:

- `io.helidon.security.spi.AuthenticationProvider`


== Configuration options



.Optional configuration options
[cols="3,3a,2,5a"]

|===
|key |type |default value |description

|`backward-compatible-eol` |boolean |`false` |Enable support for Helidon versions before 3.0.0 (exclusive).

 Until version 3.0.0 (exclusive) there was a trailing end of line added to the signed
 data.
 To be able to communicate cross versions, we must configure this when talking to older versions of Helidon.
 Default value is `false`. In Helidon 2.x, this switch exists as well and the default is `true`, to
 allow communication between versions as needed.
|`headers` |HttpSignHeader[] (SIGNATURE, AUTHORIZATION, CUSTOM) |{nbsp} |Add a header that is validated on inbound requests. Provider may support more than
 one header to validate.
|`inbound.keys` |xref:{rootdir}/config/io_helidon_security_providers_httpsign_InboundClientDefinition.adoc[InboundClientDefinition[]] |{nbsp} |Add inbound configuration. This is used to validate signature and authenticate the
 party.

 The same can be done through configuration:
 
 {
  name = "http-signatures"
  class = "HttpSignProvider"
  http-signatures {
      inbound {
          # This configures the InboundClientDefinition
          keys: [
          {
              key-id = "service1"
              hmac.secret = "${CLEAR=changeit}"
          }]
      }
  }
 }
 
|`optional` |boolean |`true` |Set whether the signature is optional. If set to true (default), this provider will
 SecurityResponse.SecurityStatus#ABSTAIN from this request if signature is not
 present. If set to false, this provider will SecurityResponse.SecurityStatus#FAILURE fail
 if signature is not present.
|`outbound` |xref:{rootdir}/config/io_helidon_security_providers_common_OutboundConfig.adoc[OutboundConfig] |{nbsp} |Add outbound targets to this builder.
 The targets are used to chose what to do for outbound communication.
 The targets should have OutboundTargetDefinition attached through
 OutboundTarget.Builder#customObject(Class, Object) to tell us how to sign
 the request.

 The same can be done through configuration:
 
 {
  name = "http-signatures"
  class = "HttpSignProvider"
  http-signatures {
      targets: [
      {
          name = "service2"
          hosts = ["localhost"]
          paths = ["/service2/.*"]

          # This configures the OutboundTargetDefinition
          signature {
              key-id = "service1"
              hmac.secret = "${CLEAR=changeit}"
          }
      }]
  }
 }
 
|`realm` |string |`helidon` |Realm to use for challenging inbound requests that do not have "Authorization" header
 in case header is HttpSignHeader#AUTHORIZATION and singatures are not optional.
|`sign-headers` |xref:{rootdir}/config/io_helidon_security_providers_httpsign_SignedHeadersConfig_HeadersConfig.adoc[HeadersConfig[]] |{nbsp} |Override the default inbound required headers (e.g. headers that MUST be signed and
 headers that MUST be signed IF present).

 Defaults:

- get, head, delete methods: date, (request-target), host are mandatory; authorization if present (unless we are
 creating/validating the HttpSignHeader#AUTHORIZATION ourselves
- put, post: same as above, with addition of: content-length, content-type and digest if present
 
- for other methods: date, (request-target)

Note that this provider DOES NOT validate the "Digest" HTTP header, only the signature.

|===

// end::config[]