Broadleaf Microservices
  • v1.0.0-latest-prod

Common Security Release Notes


  • Updated AccessTokenClaims and DefaultAuthenticationUtils to preferentially support the access token claim names used by AuthenticationServices 2.X+, and fall back to AuthenticationServices 1.X claim names for backwards compatibility

  • Added method to determine if the current user authentication is within an admin context.

    • AuthenticationUtils#userIsInAdminContext.

    • The method is new but the claims it checks are preexisting from other releases.

  • Includes bugfixes from 1.4.7-GA


Spring Boot Upgrade

  • As of Broadleaf Release Train 2.0.0-GA, all common libraries have been upgraded to Spring Boot 3.

  • This version includes all changes up to 1.4.6-GA


  • Fixed a bug where blank and empty public key property values (in or*) were processed by KeyUtil instead of being ignored completely

  • Fixed a bug where the JwtDecoder bean in OAuth2ResourceSecurityConfiguration did not honor the property. Now, if no explicit public key property values are provided and the JWK Set URI property value is provided, the JwtDecoder will be configured to verify tokens via the JWK Set URI.


  • Updated Auth utils to account for CSR acting on their own behalf rather than a customer’s: #userIsCSRActingAsSelf.

    • This checks the new claim impersonating_self.


  • Support multiple public keys for signature validation


  • Removed unnecessary warning related to customer segment ids


  • Updated library to be compatible with Spring 2.3

Release Train Compatibility

Compatible with all Release Trains after 1.7 unless otherwise noted.