Disable automatic propagation from security providers

CHANGELOG.md

@@ -7,6 +7,12 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 For Helidon 1.x releases please see [Helidon 1.x CHANGELOG.md](https://github.com/oracle/helidon/blob/helidon-1.x/CHANGELOG.md)
 
+## [2.1.0]
+- Security: To remove accidental propagation of identity, all security providers that support outbound
+    security were updated to only do outbound security when configured so. All of these providers
+    now have an `outbound` configuration section that can define outbound targets. Documentation of
+    providers was updated to match this new approach and is available in both MP and SE docs.
+
 ## [2.0.3-SNAPSHOT]
 
 ### Changes

docs/mp/security/02_providers.adoc

@@ -0,0 +1,79 @@
+///////////////////////////////////////////////////////////////////////////////
+
+    Copyright (c) 2018, 2020 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+///////////////////////////////////////////////////////////////////////////////
+
+= Security Providers
+:h1Prefix: MP
+:description: Helidon Security providers
+:keywords: helidon, security
+
+== Implemented Security Providers
+
+Helidon provides the following security providers for endpoint protection:
+
+[cols="3,2,^1,6"]
+|===
+^|Provider ^|Type ^|Outbound supported ^|Description
+
+|<<OIDC Provider,OIDC Provider>> |Authentication |✅ |Open ID Connect supporting JWT, Scopes, Groups and OIDC code flow
+|<<HTTP Basic Authentication Provider,HTTP Basic Authentication>> |Authentication |✅ |HTTP Basic Authentication support
+|<<HTTP Digest Authentication Provider,HTTP Digest Authentication>> |Authentication |🚫 |HTTP Digest Authentication support
+|<<Header Authentication Provider,Header Assertion>> |Authentication |✅ |Asserting a user based on a header value
+|<<HTTP Signatures Provider,HTTP Signatures>> |Authentication |✅ |Protecting service to service communication through signatures
+|<<IDCS Role Mapper,IDCS Roles>> |Role Mapping |🚫 |Retrieves roles from IDCS provider for authenticated user
+|<<ABAC Provider,ABAC Authorization>> |Authorization |🚫 |Attribute based access control authorization policies
+|===
+
+The following providers are no longer evolved:
+[cols="3,2,^1,6"]
+|===
+^|Provider ^|Type ^|Outbound supported ^|Description
+
+|<<Google Login Provider,Google Login>> |Authentication |✅ |Authenticates a token from request against Google servers
+|<<JWT Provider,JWT Provider>> |Authentication |✅ |JWT tokens passed from frontend
+|===
+
+=== OIDC Provider
+Open ID Connect security provider.
+
+==== Setup
+[source,xml]
+.Maven dependency
+----
+<dependency>
+    <groupId>io.helidon.microprofile</groupId>
+    <artifactId>helidon-microprofile-oidc</artifactId>
+</dependency>
+----
+include::../../shared/security/providers/oidc.adoc[]
+
+include::../../shared/security/providers/http-basic-auth.adoc[]
+
+include::../../shared/security/providers/http-digest-auth.adoc[]
+
+include::../../shared/security/providers/header-assertion.adoc[]
+
+include::../../shared/security/providers/http-signatures.adoc[]
+
+include::../../shared/security/providers/idcs-role-mapper.adoc[]
+
+include::../../shared/security/providers/abac.adoc[]
+
+include::../../shared/security/providers/google-login.adoc[]
+
+include::../../shared/security/providers/jwt.adoc[]
+

docs/se/security/01_introduction.adoc

@@ -120,33 +120,22 @@ See <<_tools,Secure config>> for details about encrypting passwords in
 Security security = Security.create(config);
 ----
 
-[source,conf]
-.Security from configuration - configuration
+[source,yaml]
+.Security from configuration - application.yaml
 ----
 # Uses config encryption filter to encrypt passwords
-security.providers: [
-    {
-        http-basic-auth {
-            realm = "helidon"
-
-            user-store {
-                users: [
-                    {
-                        login = "aUser"
-                        password = "${CLEAR=somePassword}"
-                        roles = ["theRole"]
-
-                    },
-                    {
-                        login = "noRoles"
-                        password = "${CLEAR=somePassword}"
-                        roles = []
-                    }
-                ]
-            }
-        }
-    }
-]
+security:
+  providers:
+  - abac:
+  - http-basic-auth:
+      realm: "helidon"
+      users:
+      - login: "jack"
+        password: "${CLEAR=password}"
+        roles: ["user", "admin"]
+      - login: "jill"
+        password: "${CLEAR=password}"
+        roles: ["user"]
 ----
 
 === Hybrid pattern (Builder & Configuration)