Broadleaf Microservices

Key Components

Vendor Security and Narrowing

These are the key components relevant for vendor security and narrowing.


This is the central component responsible for performing security policy validation. It extends from DefaultTrackablePolicyUtils to include vendor considerations on top of the base validation. Additionally, it exposes utility methods for other components to leverage vendor-specific behavior.


This is a utility internally used by VendorAwareTrackablePolicyUtils to extract vendor privilege information from an authentication’s claims. It ultimately converts these details into an easier-to-understand AuthenticationVendorPrivilegesSummary object.

Implementations should not need to change the behavior in this component unless there is a change in the structure/content of the interesting token claims produced by the authentication service.


This is the top-level component that consumers should typically rely on when needing to perform entity-specific vendor-related operations. It itself injects all VendorVisibilityHandler components and is responsible for delegating to the appropriate handler given a particular entity type.


This is the main component that should be implemented in order to make an entity vendor-discriminated.

Each entity may have different requirements about how it associates to vendors or what its security/narrowing behavior should be. This VendorVisibilityHandler abstraction encapsulates all entity-specific behavior, which simultaneously maximizes implementation flexibility and minimizes the code needed to get things working.


Responsible for registering a vendor-narrowing QueryInfluencer on each API request’s ContextInfo. The TrackableRepository implementation will then apply the QueryInfluencer to build vendor-narrowing filters for the queries that are run.


If a vendor discriminated entity needs to be cacheable, then cache key generation needs to account for the differences in API callers' vendor restrictions. This component provides a mechanism by which a key generator can include these details in the cache key. See DefaultVendorAwareCacheKeyEnhancer/CatalogVendorAwareCacheKeyEnhancer for default implementations, and see DataTrackingKeyGen for how to use them.