Broadleaf Microservices



Broadleaf provides several mechanisms to support a variety of security concerns. One of the backbone services that drives many of the security aspects across the suite of Broadleaf microservices originates from the Auth Service. Broadleaf’s Auth Service serves as both an extensible Authentication Provider and an Authorization Server. The Auth Service can be used by customers and admins to generate secure OAuth2 tokens (JWT) to access resource endpoints across various services. These Broadleaf JWT tokens work in conjunction with Broadleaf’s security model which uses a custom framework @Policy annotation that allows for both role-based and ownership validation.

Authentication & Authorization

The Auth Service serves as both an authentication and authorization server. The mechanisms in this service are structured on top of core Spring Security OAuth2 configurations and is built for extension. At the end of the day, the Auth Service produces several JWT Tokens, including an Access Token with claims that can be used to call various Broadleaf microservices. More details can be found within the Auth Services documentation.

Scopes & Permissions

The OAuth2 spec defines a Scope as a mechanism to limit an application’s access to a user’s account. A scope may be a set of permissions an application might want authorization for.

In Broadleaf, a scope might be a "PRODUCT", and contain the "READ_PRODUCT", "CREATE_PRODUCT", "UPDATE_PRODUCT", "DELETE_PRODUCT" permissions

OAuth and Policy

Broadleaf provides a companion library ( broadleaf-oauth2-resource-security) which is included as a dependency on all of Broadleaf microservices.

This library provides common security model functionality and works in conjunction with the JWT tokens produced by the Auth service to:

  • decode, extract, and validate compliant access tokens

  • verify token claims, and perform any additional system validation and filtration concerns

  • provide an easy to use @Policy annotation that can be placed on applicable methods to facilitate security gating

Refer to Security for in-depth information on this topic.

Typical Configuration and Extensions

The following section describes various configuration and extensions regarding security for the framework.