Broadleaf Microservices
  • v1.0.0-latest-prod

Security Configuration and Customization

This applies to AuthenticationServices version 2.0

SecurityAutoConfiguration Overview

AuthenticationServices depends on and configures Spring Security for securing web requests. The SecurityAutoConfiguration (com.broadleafcommerce.auth.user.autoconfigure.SecurityAutoConfiguration) is the main entry point for web security. The SecurityAutoConfiguration is a large @AutoConfiguration class that contains multiple inner configuration classes. These inner classes configure a variety of things:

  • Authentication (AuthenticationSecurityConfiguration)

  • Authorization (SpringAuthorizationServerComponentsConfiguration)

  • Stateless Sessions (SessionConfiguration)

  • Authentication Filters (FilterBeans)

  • Cryptographic keys (JWTBeans)

  • and more!

Bean Overrides

In general, everything in the SecurityAutoConfiguration and its inner classes is a bean, and therefore, bean overrides can be used to substitute customized objects as needed. Simply declare a new @Bean method in your project configuration with the same name and type as the framework bean you would like to override. See Extensibility Documentation for more info.

Authentication Security Chain Customizers

The AuthenticationSecurityConfiguration within SecurityAutoConfiguration configures a SecurityFilterChain to handle user login. This chain also handles requests not handled by any other chain. In addition to bean overrides, the AuthenticationSecurityConfiguration utilizes "Authentication Security Chain Customizers" to allow client projects to customize the authentication security chain without having to override the entire authenticationSecurityFilterChain bean. These customizers accept the HttpSecurity object being configured. There are 2 types available:

  • EarlyAuthenticationSecurityChainCustomizer

  • LateAuthenticationSecurityChainCustomizer

As the names suggest, the early customizers run before the framework configures the HttpSecurity, and the late customizers run after the framework has applied all of its configurations. All beans of these types will be executed.

Add A New Filter Example

The customizers can be used to add new filters to the filter chain. For example, most projects need a ForwardHeaderFilter when the services are behind a gateway. Broadleaf’s starter projects include this configuration, and in earlier versions of Broadleaf, this required extending a configuration class and overriding a method in order to register the filter on the HttpSecurity object.

As of AuthenticationServices 2.0, a LateAuthenticationSecurityChainCustomizer bean can be used instead, greatly simplifying the customization process:

public LateAuthenticationSecurityChainCustomizer forwardHeaderFilterContributorAuthentication() {
    return http -> http.addFilterAfter(new ForwardedHeaderFilter(), HeaderWriterFilter.class);


The authenticationSecurityFilterChain bean method utilizes a few configurers to facilitate more easily overriding configuration logic:

  • ContentSecurityPolicyConfigurer

  • DispatcherTypeAuthorizationConfigurer

  • EmbeddedLoginAuthenticationConfigurer

These configurers can be extended and overridden like any normal Bean Override.