4.x: archetype fix MP security (#7947)

Signed-off-by: tvallin <[email protected]>

archetypes/helidon/src/main/archetype/mp/custom/custom-mp.xml

@@ -33,6 +33,7 @@
     <exec src="/common/packaging.xml"/>
     <source src="observability.xml"/>
     <exec src="database-outputs.xml" if="${db}"/>
+    <source src="security-outputs.xml" if="${security}"/>
     <output>
         <templates engine="mustache" transformations="mustache" if="${application-yaml}">
             <directory>files</directory>

archetypes/helidon/src/main/archetype/mp/custom/files/application.abac.yaml

@@ -0,0 +1,3 @@
+  - abac:
+      fail-on-unvalidated: true
+      fail-if-none-validated: true

archetypes/helidon/src/main/archetype/mp/custom/files/application.oidc.yaml

@@ -0,0 +1,16 @@
+  - oidc:
+      # use a custom name, so it does not clash with other examples
+      cookie-name: "OIDC_EXAMPLE_COOKIE"
+      # support for "Authorization" header with bearer token
+      header-use: true
+      # the default redirect-uri, where the webserver listens on redirects from identity server
+      redirect-uri: "/oidc/redirect"
+      issuer: "https://tenant.some-server.com/oauth2/default"
+      audience: "configured audience"
+      client-id: "some client id"
+      client-secret: "some client secret"
+      identity-uri: "https://tenant.some-server.com/oauth2/default"
+      frontend-uri: "http://localhost:7987"
+      server-type: "@default"
+      # We want to redirect to login page (and token can be received either through cookie or header)
+      redirect: true

archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtApplication.java.mustache

@@ -0,0 +1,17 @@
+package {{package}};
+
+import java.util.Set;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.core.Application;
+import org.eclipse.microprofile.auth.LoginConfig;
+
+@LoginConfig(authMethod = "MP-JWT")
+@ApplicationScoped
+public class JwtApplication extends Application {
+
+    @Override
+    public Set<Class<?>> getClasses() {
+        return Set.of(JwtResource.class);
+    }
+}

archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/JwtResource.java.mustache

@@ -0,0 +1,24 @@
+package {{package}};
+
+import java.util.Optional;
+
+import io.helidon.security.Principal;
+import io.helidon.security.SecurityContext;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Context;
+
+import static jakarta.ws.rs.core.MediaType.TEXT_PLAIN;
+
+@Path("/hello")
+public class JwtResource {
+
+    @GET
+    @Produces(TEXT_PLAIN)
+    public String hello(@Context SecurityContext context) {
+        Optional<Principal> userPrincipal = context.userPrincipal();
+        return "Hello, " + userPrincipal.get().getName() + "!";
+    }
+}

archetypes/helidon/src/main/archetype/mp/custom/files/src/main/java/__pkg__/OidcResource.java.mustache

@@ -0,0 +1,27 @@
+package {{package}};
+
+import io.helidon.security.SecurityContext;
+import io.helidon.security.annotations.Authenticated;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.core.Context;
+
+/**
+ * A simple JAX-RS resource with a single GET method.
+ */
+@Path("/test")
+public class OidcResource {
+
+    /**
+     * Hello world using security context.
+     * @param securityContext context as established during login
+     * @return a string with current username
+     */
+    @Authenticated
+    @GET
+    public String getIt(@Context SecurityContext securityContext) {
+        return "Hello " + securityContext.userName();
+    }
+
+}

archetypes/helidon/src/main/archetype/mp/custom/security-outputs.xml

@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<archetype-script xmlns="https://helidon.io/archetype/2.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="https://helidon.io/archetype/2.0 https://helidon.io/xsd/archetype-2.0.xsd">
+    <methods>
+        <method name="security-oidc">
+            <output if="${security.atn} contains ['oidc']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>**/OidcResource.java.mustache</include>
+                    </includes>
+                </templates>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.microprofile</value>
+                            <value key="artifactId">helidon-microprofile-oidc</value>
+                        </map>
+                    </list>
+                    <list key="providers-config-entries">
+                        <value file="files/application.oidc.yaml"/>
+                    </list>
+                    <list key="module-requires">
+                        <value>io.helidon.security</value>
+                        <value>io.helidon.security.annotations</value>
+                    </list>
+                    <list key="readme-sections">
+                        <value><![CDATA[
+## Security integration with OIDC
+
+This example demonstrates integration with OIDC (Open ID Connect) providers.
+
+To configure it, you need to replace the default values from configuration
+to your tenant and application configuration.
+]]></value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-jwt">
+            <output if="${security.atn} contains ['jwt']">
+                <templates engine="mustache" transformations="mustache,packaged">
+                    <directory>files</directory>
+                    <includes>
+                        <include>**/JwtApplication.java.mustache</include>
+                        <include>**/JwtResource.java.mustache</include>
+                    </includes>
+                </templates>
+                <model>
+                    <list key="dependencies">
+                        <map>
+                            <value key="groupId">io.helidon.microprofile.jwt</value>
+                            <value key="artifactId">helidon-microprofile-jwt-auth</value>
+                        </map>
+                    </list>
+                    <list key="microprofile-config-entries">
+                        <value>mp.jwt.verify.issuer=https://{IssuerPublicDomain}/oauth2/default</value>
+                        <value template="mustache">mp.jwt.verify.publickey.location=${mp.jwt.verify.issuer}/v1/keys</value>
+                    </list>
+                    <list key="module-requires">
+                        <value >io.helidon.microprofile.jwt.auth</value>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-google">
+            <output if="${security.atn} contains ['google']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.google.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-signature">
+            <output if="${security.atn} contains ['http-signature']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.http-signature.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+        <method name="security-abac">
+            <output if="${security.atz} contains ['abac']">
+                <model>
+                    <list key="providers-config-entries">
+                        <value file="files/application.abac.yaml"/>
+                    </list>
+                </model>
+            </output>
+        </method>
+    </methods>
+    <call method="security-abac"/>
+    <call method="security-oidc"/>
+    <call method="security-jwt"/>
+    <call method="security-google"/>
+    <call method="security-signature"/>
+    <output>
+        <model>
+            <list key="dependencies">
+                <map>
+                    <value key="groupId">io.helidon.microprofile</value>
+                    <value key="artifactId">helidon-microprofile-security</value>
+                </map>
+            </list>
+            <list key="paths-config-entries">
+                <value><![CDATA[    - path: "/simple-greet"
+      methods: ["get"]
+      authenticate: true]]></value>
+            </list>
+        </model>
+    </output>
+</archetype-script>

archetypes/helidon/src/main/archetype/se/common/common-se.xml

@@ -125,7 +125,14 @@
                 .build()
                 .start();
 
+        {{#Main-after-server}}
+        {{.}}
+        {{/Main-after-server}}
+
         System.out.println("WEB server is up! http://localhost:" + server.port() + "/simple-greet");
+        {{#Main-logging}}
+        {{.}}
+        {{/Main-logging}}
 ]]></value>
             </list>
             <list key="main-class-content">

archetypes/helidon/src/main/archetype/se/common/files/src/main/resources/application.yaml.mustache

@@ -11,16 +11,4 @@ server:
 
 {{.}}
 {{/application-yaml-entries}}
-{{#security}}
 
-security:
-  config.require-encryption: false
-  properties:
-{{#security-properties}}
-{{.}}
-{{/security-properties}}
-  providers:
-{{#providers-config-entries}}
-{{.}}
-{{/providers-config-entries}}
-{{/security}}

archetypes/helidon/src/main/archetype/se/custom/custom-se.xml

@@ -25,11 +25,12 @@
     <exec src="/common/security.xml"/>
     <source src="database-inputs.xml"/>
     <source src="/common/extra.xml"/>
-    <source src="/se/custom/extra.xml"/>
+    <source src="extra.xml"/>
     <source src="/common/observability.xml"/>
     <source src="observability.xml"/>
     <exec src="/common/packaging.xml"/>
     <exec src="database-output.xml" if="${db}"/>
+    <source src="security-outputs.xml" if="${security}"/>
 
     <output>
         <file source="files/src/main/resources/WEB/index.html" target="src/main/resources/WEB/index.html" if="${media} contains 'multipart'"/>