includes.security.providers.http-basic-auth.adoc Maven / Gradle / Ivy
The newest version!
///////////////////////////////////////////////////////////////////////////////
Copyright (c) 2018, 2024 Oracle and/or its affiliates.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
///////////////////////////////////////////////////////////////////////////////
ifndef::rootdir[:rootdir: {docdir}/../../..]
=== HTTP Basic Authentication Provider
:description: Helidon Security HTTP Basic Provider
:keywords: helidon, security, basic
:feature-name: HTTP Basic Authentication Security Provider
HTTP Basic authentication support
==== Setup
[source,xml]
.Maven dependency
----
io.helidon.security.providers
helidon-security-providers-http-auth
----
==== Overview
include::{rootdir}/config/io_helidon_security_providers_httpauth_HttpBasicAuthProvider.adoc[leveloffset=+2,tag=config]
==== Example code
See the link:{helidon-github-examples-url}/security/outbound-override[example] on GitHub.
[source,yaml]
.Configuration example
----
security:
providers:
- http-basic-auth:
realm: "helidon"
users:
- login: "john"
password: "${CLEAR=changeit}"
roles: ["admin"]
- login: "jack"
password: "changeit"
roles: ["user", "admin"]
outbound:
- name: "internal-services"
hosts: ["*.example.org"]
# Propagates current user's identity or identity from request property
outbound-token:
header: "X-Internal-Auth"
- name: "partner-service"
hosts: ["*.partner.org"]
# Uses this username and password
username: "partner-user-1"
password: "${CLEAR=changeit}"
----
==== How does it work?
See https://tools.ietf.org/html/rfc7617[].
*Authentication of request*
When a request is received without the `Authorization: basic ....` header, a challenge is returned to provide such
authentication.
When a request is received with the `Authorization: basic ....` header, the username and password is validated
against configured users (and users obtained from custom service if any provided).
Subject is created based on the username and roles provided by the user store.
*Identity propagation*
When identity propagation is configured, there are several options for identifying username and password to propagate:
1. We propagate the current username and password (inbound request must be authenticated using basic authentication).
2. We use username and password from an explicitly configured property (See `EndpointConfig.PROPERTY_OUTBOUND_ID`
and `EndpointConfig.PROPERTY_OUTBOUND_SECRET`)
3. We use username and password associated with an outbound target (see example configuration above)
Identity is propagated only if:
1. There is an outbound target configured for the endpoint
2. Or there is an explicitly configured username/password for the current request (through request property)
*Custom user store*
Java service loader service `io.helidon.security.providers.httpauth.spi.UserStoreService` can be implemented to provide
users to the provider, such as when validated against an internal database or LDAP server.
The user store is defined so you never need the clear text password of the user.
_Warning on security of HTTP Basic Authentication (or lack thereof)_
Basic authentication uses base64 encoded username and password and passes it over the network. Base64 is only encoding,
not encryption - so anybody that gets hold of the header value can learn the actual username and password of the user.
This is a security risk and an attack vector that everybody should be aware of before using HTTP Basic Authentication.
We recommend using this approach only for testing and demo purposes.