Broadleaf Microservices
  • v1.0.0-latest-prod

Customer Authority Filter

since 2.3.0

Table of Contents

Overview

Introduce the ability to prevent accidentally assigning elevated permissions to customer users. It ensures that the misconfigured permissions are automatically removed from customer users' Authentication authorities token claim, even if they were granted those permissions.

If any authority were removed, the log will contain the message like: There are authorities assigned to a Customer user that should not be assigned. Authorities are automatically filtered out (userId: {} | authoritiesRemoved: {}).

For example, customer users shouldn’t have the authorities to modify or delete the product, but they can read it. To exclude write permission for PRODUCT scope, the next configuration can be used:

This is an example configuration. Default excluded authorities and exclusion exception can be found in com.broadleafcommerce.auth.security.environment.UserPrivilegeProperties.CustomerAuthorityFilter 
broadleaf.auth.user-privilege.customer-authority-filter.excluded-authorities=ALL_PRODUCT
broadleaf.auth.user-privilege.customer-authority-filter.exclusion-exceptions=READ_PRODUCT

The excluded-authorities property specifies which authorities are excluded from customer users. Authorities starting with ALL_* are automatically expanded into their corresponding READ_*, CREATE_*, UPDATE_*, and DELETE_* permissions, including the original ALL_* permission.

To allow specific permissions that would otherwise be excluded, add them to the exclusion-exceptions property (e.g., READ_PRODUCT).

Configuration

broadleaf:
  auth:
    user-privilege:
      customer-authority-filter:
        enabled: true (1)
        log-throttle-time: 3600000L (2) # 1 hour
        excluded-authorities: (3)
          - ALL_PRODUCT
          - ALL_CUSTOMER
          ...
        exclusion-exceptions: (4)
          - READ_PRODUCT
          ...

  1. If set to true, the authorities configured in the excluded authorities will be removed from customer users

  2. The frequency in millisecond for how often the warning is logged if excluded authorities are assigned to the customer

  3. Authorities that must be excluded from customer users

  4. Authorities that should be kept even if they match exclusions. Acts as an override for excludedAuthorities

The default set doesn’t contain every permission that should not be assigned to a customer user. Rather, it’s the set of permissions that we think are more easily and mistakenly assigned to customer users. Please review and modify as needed.