If you are utilizing an Initializr-based project, Broadleaf generates an initial starting point that produces sensible, secure, and cryptographically unique defaults allowing you the implementor to easily dial up the security needs if needed or make a conscious choice to dial down certain security measures when it seems appropriate for your needs. Some of generated defaults include:
Credentials Environment Report and generated default credentials
Inter-service SSL configuration
Supporting Service Secure Connectivity (Kafka, Solr, Zookeeper, etc…)
Details around each of these configurations can be found on the Initializr Security page.
Prior to the introduction of the Initializr
security module, implementations would follow documentation
that described the different security keys and credentials needing to be updated and changed manually
prior to production (i.e. see section below).
Implementations would also sometimes leverage a
CredentialsGeneratorTool to help generate new credentials for an environment.
As part of an Initializr-based project, all of this has now been automated. All the secure,
sensitive, and important configurations needing to be changed are generated as part of the
The following guides are applicable to
Broadleaf makes use of private and public keys in services when signing and verifying the JWT tokens that are issued. This allows us to be sure that the tokens were issued by one of our services and have not been manipulated by a third party. The Generating Private and Public Keys for JWTs article will be a reference on a simple way to generate keys that are compatible with our services.
Broadleaf allows defining configuration properties for 3rd Party Identity Providers (IDPs) in the admin and persisting them in a database. One of the properties that should be stored is the client secret for interacting with the 3rd party’s APIs. This should be encrypted during persistence and decrypted during retrieval. Generating Database Column Encryption Keys covers a simple way to generate this key.
The following Updating Client Credentials guide will show you how to override the default credentials.