Broadleaf Microservices
  • v1.0.0-latest-prod

Security Configuration

Initializr Security Module (since 1.8.3)

If you are utilizing an Initializr-based project, Broadleaf generates an initial starting point that produces sensible, secure, and cryptographically unique defaults allowing you the implementor to easily dial up the security needs if needed or make a conscious choice to dial down certain security measures when it seems appropriate for your needs. Some of generated defaults include:

  • Credentials Environment Report and generated default credentials

  • Inter-service SSL configuration

  • Supporting Service Secure Connectivity (Kafka, Solr, Zookeeper, etc…​)

Details around each of these configurations can be found on the Initializr Security page.

Note About Prior Operational Processes

Prior to the introduction of the Initializr security module, implementations would follow documentation that described the different security keys and credentials needing to be updated and changed manually prior to production (i.e. see section below). Implementations would also sometimes leverage a CredentialsGeneratorTool to help generate new credentials for an environment.

As part of an Initializr-based project, all of this has now been automated. All the secure, sensitive, and important configurations needing to be changed are generated as part of the flex:generate process.

Manual Security Configuration

The following guides are applicable to MicroservicesDemo-based projects:

JWT Public & Private Keys

Broadleaf makes use of private and public keys in services when signing and verifying the JWT tokens that are issued. This allows us to be sure that the tokens were issued by one of our services and have not been manipulated by a third party. The Generating Private and Public Keys for JWTs article will be a reference on a simple way to generate keys that are compatible with our services.

Data Encryption Keys for 3rd Party IDPs

Broadleaf allows defining configuration properties for 3rd Party Identity Providers (IDPs) in the admin and persisting them in a database. One of the properties that should be stored is the client secret for interacting with the 3rd party’s APIs. This should be encrypted during persistence and decrypted during retrieval. Generating Database Column Encryption Keys covers a simple way to generate this key.

Configuring Server to Server Client Credentials

The following Updating Client Credentials guide will show you how to override the default credentials.