Broadleaf provides several mechanisms to support a variety of security concerns. One of the backbone services that drives many of the security aspects across the suite of Broadleaf microservices originates from the
Auth Service. Broadleaf’s
Auth Service serves as both an extensible
Authentication Provider and an
Authorization Server. The
Auth Service can be used by customers and admins to generate secure OAuth2 tokens (JWT) to access resource endpoints across various services. These Broadleaf JWT tokens work in conjunction with Broadleaf’s security model which uses a custom framework
@Policy annotation that allows for both role-based and ownership validation.
Auth Service serves as both an authentication and authorization server. The mechanisms in this service are structured on top of core Spring Security OAuth2 configurations and is built for extension. At the end of the day, the Auth Service produces several JWT Tokens, including an Access Token with claims that can be used to call various Broadleaf microservices. More details can be found within the Auth Services documentation.
The OAuth2 spec defines a
Scope as a mechanism to limit an application’s access to a user’s account. A scope may be a set of permissions an application might want authorization for.
In Broadleaf, a scope might be a "PRODUCT", and contain the "READ_PRODUCT", "CREATE_PRODUCT", "UPDATE_PRODUCT", "DELETE_PRODUCT" permissions
Broadleaf provides a companion library (
broadleaf-oauth2-resource-security) which is included as a dependency on all of Broadleaf microservices.
This library provides common security model functionality and works in conjunction with the JWT tokens produced by the Auth service to:
decode, extract, and validate compliant access tokens
verify token claims, and perform any additional system validation and filtration concerns
provide an easy to use
@Policy annotation that can be placed on applicable methods to facilitate security gating
A policy was introduced as a first class component of the Broadleaf framework in order to facilitate additional security layer dimensions that are specific to Broadleaf and would not otherwise be supported by out-of-box Spring Security concepts like
@PreAuthorize. Specifically, policies in Broadleaf:
Allow access to resources or functions to only users with correct:
Access to the requested context (ContextInfo)
Permissions for the requested resource (eg. Product)
Permissions for the requested operation (eg. Read vs Update)
Ownership of the requested resource (eg. Customer’s own profile)
Prevent access to trackable resources from the wrong context
Prevent mutation of trackable resources from the wrong context
The following section describes various configuration and extensions regarding security for the framework.