Getting User Principal From Filter

[dansiviter]

The title says it all really. It seems although SecurityContext is registered authentication isn't performed before all filters are processed. Therefore, the 'Principal' is always anonymous. Is there any way of getting a processed Principal in a Filter. I want to filter requests based on a user (i.e. from a JWT).

[dansiviter]

It seems there is a SecurityContext#authenticate() method. Is that the correct way to force authentication for Filter?

[tvallin]

What version of Helidon are you using ? And what flavor, SE or MP ?

[dansiviter]

@tvallin SE v4.2.1.

[tvallin]

I just verified with our SE security example that it works.

private static class MyFilter implements Filter {
        @Override
        public void filter(FilterChain chain, RoutingRequest request, RoutingResponse response) {
                SecurityContext context = request.context().get(SecurityContext.class).orElse(null);
                context.authenticate();
                context.userPrincipal().orElse(null); // Contains User infos
                chain.proceed();
        }
}

Nevertheless, I need to double check with the team is this the correct approach.

[tomas-langer]

Security is handled in handlers - similar to your routing handlers. As security is bound by path, and we use path matching of the routing.

This means that filters cannot have security available, as they happen before routing.

If you would need security at this point, you would need to implement it yourself - i.e. create a filter that is (somehow) configured to know how to secure the application (which endpoints, whether to authenticate, authorize etc.), and then use the existing Helidon APIs to execute the authentication and authorization - i.e. replicate what is now written in io.helidon.webserver.security.SecurityHandler#handle - application of authentication and authorization is done in io.helidon.webserver.security.SecurityHandler#processSecurity