Upgrade to 1.6.0-GA

Table of Contents

Upgrade Notes
Configuration Properties
Liquibase Schema Changes

Upgrade Notes

Service
- Auth: The saved request (BLSR), saved authorized client (BL-ACS-*), and saved authorization request (BLSAR) cookies now default to SameSite=Lax in their attributes. This change may affect behavior if BLC cookies are used as third-party cookies, or if there is no gateway in front of the auth service (not recommended).
- Auth: By default, all responses will now include Content-Security-Policy (CSP) headers with directives default-src 'self'; base-uri 'self'. This change may affect behavior if any served webpages include inline resources (scripts, styles, etc) or resources loaded from origins different from the one loading the document.
- Cart Operations: The deprecated Cart cookie (BLCART) now defaults to SameSite=Lax in its attributes. This change may affect behavior if this deprecated functionality is still in use, particularly if BLC cookies are used as third-party cookies, or if there is no gateway in front of the cart operations service (not recommended).

Configuration Properties

Admin User Service

Property Description

Property	Description
`broadleaf.adminuser.data.load.default-master-global-admin-user`	If `true` the default global admin user will be created. Defaults to `false`. See `com.broadleafcommerce.auth.data.DefaultMasterGlobalAdminUserDataInitializer`.

broadleaf.adminuser.data.load.default-master-global-admin-user

If true the default global admin user will be created. Defaults to false. See com.broadleafcommerce.auth.data.DefaultMasterGlobalAdminUserDataInitializer.

Auth Service

Property Description

Property	Description
`broadleaf.auth.login.embedded.enabled`	Enables the Embedded login. This is `false` by default since it is less secure. To enable, set this property to `true`.
`broadleaf.auth.password.token.chars`	The character set to use when generating password tokens.
`broadleaf.auth.password.token.length`	The length of a generated password token. Defaults to 32.
`broadleaf.auth.user-lockout.reset-password-unlocks-user`	If true, a password reset action will unlock a user on a successful password reset action. Default value is `false`.
`broadleaf.auth.user-lockout.locked-user-can-reset-password`	If true, a locked user can trigger a password reset. Default value is `false`.
`broadleaf.auth.registration.require-password-confirmation-field`	Whether the registration form requires that there be a password confirmation field where the user has to re-enter their password. This must match the password field. This decreases the changes the user mistypes their password when registering.
`broadleaf.auth.security.content-security-policy.*`	Properties configuring Content Security Policy behavior. See `com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerProperties.ContentSecurityPolicyProperties` for full list of options.
`broadleaf.auth.security.content-security-policy.enabled`	Whether or not to enable content security policy behavior. Defaults to `true`.
`broadleaf.auth.security.content-security-policy.default-src.enabled`	Configures whether to include the 'default-src' content security policy directive. Defaults to `true`.
`broadleaf.auth.security.content-security-policy.default-src.value`	If enabled, this is the value to use for the `default-src` content security policy directive. Defaults to `self`.
`broadleaf.auth.security.content-security-policy.base-uri.enabled`	Configures whether to include the `base-uri` content security policy directive. Defaults to `true`.
`broadleaf.auth.security.content-security-policy.base-uri.value`	If enabled, this is the value to use for the `base-uri` content security policy directive. Defaults to `self`.
`broadleaf.auth.security.content-security-policy.additional-directives`	A list of additional directives that should be added to the content security policy header. Each must include both the directive name and the value. This will automatically be combined in the final result with a semicolon separator. Defaults to empty list.
`broadleaf.auth.auth-request-repository.saved-auth-request-cookie-same-site-value`	The value to use for the SameSite attribute on the cookies responsible for saving authorization requests. Can be `None`, `Lax`, or `Strict`. Defaults to `Lax`.
`broadleaf.auth.auth-client-repository.authorized-client-cookie-same-site-value`	The value to use for the SameSite attribute on the cookies responsible for storing authorized clients. Can be `None`, `Lax`, or `Strict`. Defaults to `Lax`.
`broadleaf.auth.stateless.saved-request-cookie-same-site-value`	The value to use for the SameSite attribute on the "saved request" cookie responsible for redirecting users following an authentication request. Can be `None`, `Lax`, or `Strict`. Defaults to `Lax`.
`broadleaf.auth.data.load.default-master-global-admin-user`	If `true` the default global admin user will be created. Defaults to `false`. See `com.broadleafcommerce.auth.data.DefaultMasterGlobalAdminUserDataInitializer`.
`broadleaf.auth.anonymization.enabled`	Whether or not anonymization is enabled at all. Defaults to `true`.
`broadleaf.auth.anonymization.user-enabled`	Whether or not anonymization specific to the `User` domain is supported. Defaults to `true`.

broadleaf.auth.login.embedded.enabled

Enables the Embedded login. This is false by default since it is less secure. To enable, set this property to true.

broadleaf.auth.password.token.chars

The character set to use when generating password tokens.

broadleaf.auth.password.token.length

The length of a generated password token. Defaults to 32.

broadleaf.auth.user-lockout.reset-password-unlocks-user

If true, a password reset action will unlock a user on a successful password reset action. Default value is false.

broadleaf.auth.user-lockout.locked-user-can-reset-password

If true, a locked user can trigger a password reset. Default value is false.

broadleaf.auth.registration.require-password-confirmation-field

Whether the registration form requires that there be a password confirmation field where the user has to re-enter their password. This must match the password field. This decreases the changes the user mistypes their password when registering.

broadleaf.auth.security.content-security-policy.*

Properties configuring Content Security Policy behavior. See com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerProperties.ContentSecurityPolicyProperties for full list of options.

broadleaf.auth.security.content-security-policy.enabled

Whether or not to enable content security policy behavior. Defaults to true.

broadleaf.auth.security.content-security-policy.default-src.enabled

Configures whether to include the 'default-src' content security policy directive. Defaults to true.

broadleaf.auth.security.content-security-policy.default-src.value

If enabled, this is the value to use for the default-src content security policy directive. Defaults to self.

broadleaf.auth.security.content-security-policy.base-uri.enabled

Configures whether to include the base-uri content security policy directive. Defaults to true.

broadleaf.auth.security.content-security-policy.base-uri.value

If enabled, this is the value to use for the base-uri content security policy directive. Defaults to self.

broadleaf.auth.security.content-security-policy.additional-directives

A list of additional directives that should be added to the content security policy header. Each must include both the directive name and the value. This will automatically be combined in the final result with a semicolon separator. Defaults to empty list.

broadleaf.auth.auth-request-repository.saved-auth-request-cookie-same-site-value

The value to use for the SameSite attribute on the cookies responsible for saving authorization requests. Can be None, Lax, or Strict. Defaults to Lax.

broadleaf.auth.auth-client-repository.authorized-client-cookie-same-site-value

The value to use for the SameSite attribute on the cookies responsible for storing authorized clients. Can be None, Lax, or Strict. Defaults to Lax.

broadleaf.auth.stateless.saved-request-cookie-same-site-value

The value to use for the SameSite attribute on the "saved request" cookie responsible for redirecting users following an authentication request. Can be None, Lax, or Strict. Defaults to Lax.

broadleaf.auth.data.load.default-master-global-admin-user

If true the default global admin user will be created. Defaults to false. See com.broadleafcommerce.auth.data.DefaultMasterGlobalAdminUserDataInitializer.

broadleaf.auth.anonymization.enabled

Whether or not anonymization is enabled at all. Defaults to true.

broadleaf.auth.anonymization.user-enabled

Whether or not anonymization specific to the User domain is supported. Defaults to true.

Cart Operations Service

Property Description

Property	Description
`broadleaf.cartoperation.cart-cookie.cookie-same-site-value`	The value to use for the SameSite attribute on the cart cookie. Can be `None`, `Lax`, or `Strict`. Defaults to `Lax`.

broadleaf.cartoperation.cart-cookie.cookie-same-site-value

The value to use for the SameSite attribute on the cart cookie. Can be None, Lax, or Strict. Defaults to Lax.

Cart Service

Property Description

Property	Description
`broadleaf.cart.anonymization.enabled`	Whether or not anonymization is enabled at all. Defaults to `true`.
`broadleaf.cart.anonymization.cart-enabled`	Whether or not anonymization specific to the `Cart` domain is supported. Defaults to `true`.
`broadleaf.cart.anonymization.payment-and-transaction-enabled`	Whether or not anonymization specific to the `Payment` or `PaymentTransaction` domains are supported. Defaults to `false`.

broadleaf.cart.anonymization.enabled

Whether or not anonymization is enabled at all. Defaults to true.

broadleaf.cart.anonymization.cart-enabled

Whether or not anonymization specific to the Cart domain is supported. Defaults to true.

broadleaf.cart.anonymization.payment-and-transaction-enabled

Whether or not anonymization specific to the Payment or PaymentTransaction domains are supported. Defaults to false.

Customer Service

Property Description

Property	Description
`broadleaf.customer.anonymization.enabled`	Whether or not anonymization is enabled at all. Defaults to `true`.
`broadleaf.customer.anonymization.account-enabled`	Whether or not anonymization specific to the `Account` domain is supported. Defaults to `true`.
`broadleaf.customer.anonymization.account-member-enabled`	Whether or not anonymization specific to the `AccountMember` domain is supported. Defaults to `true`.
`broadleaf.customer.anonymization.customer-address-enabled`	Whether or not anonymization specific to the `CustomerAddress` domain is supported. Defaults to `true`.
`broadleaf.customer.anonymization.customer-enabled`	Whether or not anonymization specific to the `Customer` domain is supported. Defaults to `true`.
`broadleaf.customer.anonymization.customer-note-enabled`	Whether or not anonymization specific to the `CustomerNote` domain is supported. Defaults to `true`.
`broadleaf.customer.anonymization.payment-account-enabled`	Whether or not anonymization specific to the `PaymentAccount` domain is supported. Defaults to `true`.

broadleaf.customer.anonymization.enabled

Whether or not anonymization is enabled at all. Defaults to true.

broadleaf.customer.anonymization.account-enabled

Whether or not anonymization specific to the Account domain is supported. Defaults to true.

broadleaf.customer.anonymization.account-member-enabled

Whether or not anonymization specific to the AccountMember domain is supported. Defaults to true.

broadleaf.customer.anonymization.customer-address-enabled

Whether or not anonymization specific to the CustomerAddress domain is supported. Defaults to true.

broadleaf.customer.anonymization.customer-enabled

Whether or not anonymization specific to the Customer domain is supported. Defaults to true.

broadleaf.customer.anonymization.customer-note-enabled

Whether or not anonymization specific to the CustomerNote domain is supported. Defaults to true.

broadleaf.customer.anonymization.payment-account-enabled

Whether or not anonymization specific to the PaymentAccount domain is supported. Defaults to true.

Offer Service

Property Description

Property	Description
`broadleaf.offer.cache.offer-by-user-targets`	Defaults to 5 minutes.

broadleaf.offer.cache.offer-by-user-targets

Defaults to 5 minutes.

Campaign Service

Property Description

Property	Description
`broadleaf.campaign.code-generation.batch-size`	Batch size for non-voucher campaign code generation. Defaults to `1000`.
`broadleaf.campaign.code-generation.voucher.batch-size`	Batch size for campaign code generation for vouchers. Defaults to `10`.

broadleaf.campaign.code-generation.batch-size

Batch size for non-voucher campaign code generation. Defaults to 1000.

broadleaf.campaign.code-generation.voucher.batch-size

Batch size for campaign code generation for vouchers. Defaults to 10.

Liquibase Schema Changes

Auth Service

Create/Update SQL	Drop SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog	PostgreSQL drop changelog Oracle drop changelog MySQL drop changelog MariaDB drop changelog

Create/Update SQL

Drop SQL

Campaign Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Cart Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Catalog Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Customer Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Inventory Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Order Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Pricing Service

Create/Update SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog

Create/Update SQL

Offer Service

Create/Update SQL	Drop SQL
PostgreSQL changelog Oracle changelog MySQL changelog MariaDB changelog	PostgreSQL drop changelog Oracle drop changelog MySQL drop changelog MariaDB drop changelog

Create/Update SQL

Drop SQL