Broadleaf Microservices
  • v1.0.0-latest-prod

Auth Release Notes for 2.1.3-GA

Tip
 The 2.x versions are Spring Boot 3 compatible.
Note
 Includes changes in 2.0.4-GA

Requirements

  • JDK 17 is required for Broadleaf release trains 2.0.0-GA, and beyond.

Notable Changes

  • As of Broadleaf Release Train 2.1.3-GA, all microservices have been upgraded to Spring Boot 3.3

  • This version includes all changes up to 2.0.4 Release Notes

  • Added max-attempt limits and lockout configuration for change password and reset-password flows.

    • These settings can be configured on a per-Authentication Server basis.

  • Added support to identify and process PersistenceMessage payloads for extended entities from Customer, Admin and Tenant services.

    • This should eliminate the need to override the supportedSimpleTypeNames array or getSupportedSimpleTypeNames() method in PersistenceHandler implementations.

    • The PersistenceHandler now utilizes the _baseClass attribute of the PersistenceMessage to identify the underlying JPA class and thereby the extended entity.

      • This logic is congruent with the existing logic to identify the overrides/extensions of Indexable entities like Order and Product.

Backward Compatability

  • The protected method DefaultUserLockoutService#throwIfLocked had its signature updated to now include int attemptsAllowed as a parameter.

    • This allows you to pass different limits for whatever action that may lock a user’s account that is being evaluated, such as login attempts or change/reset password attempts.

Bug Fixes

  • Fixed a long-standing issue where a value of maximum login attempt count would be allowed to be exceeded by one

    • For example, with the maximum attempt number of '2' a third request was allowed and, if successful, would change the password

Configuration Properties

  • broadleaf.auth.user-lockout.failed-reset-password-attempts-allowed

    • Description: How many failed reset password attempts are allowed before a user is locked out.

    • Default value: null (designates unlimited attempts)

  • broadleaf.auth.user-lockout.failed-change-password-attempts-allowed

    • Description: How many failed change password attempts are allowed before a user is locked out.

    • Default value: null (designates unlimited attempts)

  • broadleaf.auth.user-lockout.reset-password-fail-decay-minutes

    • Description: How long, in minutes, it takes for failed reset password attempts to "decay". Failed reset password attempts that have decayed will not be taken into account when determining if a user should be locked out. Null indicates attempts never decay.

    • Default value: null (designates attempts never decaying)

  • broadleaf.auth.user-lockout.change-password-fail-decay-minutes

    • Description: How long, in minutes, it takes for failed change password attempts to "decay". Failed change password attempts that have decayed will not be taken into account when determining if a user should be locked out. Null indicates attempts never decay.

    • Default value: null (designates attempts never decaying)