com.broadleafcommerce.auth.user.autoconfigure

Class AuthorizationServerProperties

java.lang.Object

com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerProperties

@Validated
 @ConfigurationProperties(value="broadleaf.auth.security")
public class AuthorizationServerProperties
extends Object

Author:

Phillip Verheyden (phillipuniverse), Jeff Fischer, Nick Crum (ncrum)

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	AuthorizationServerProperties.ContentSecurityPolicyProperties Properties configuring the behavior of ContentSecurityPolicyConfigurer.
static class	AuthorizationServerProperties.OAuth2

Constructor Summary

Constructors

Constructor and Description
AuthorizationServerProperties()

Method Summary

Modifier and Type	Method and Description
protected boolean	canEqual(Object other)
boolean	equals(Object o)
AuthorizationServerProperties.ContentSecurityPolicyProperties	getContentSecurityPolicy() Properties pertaining to Content Security Policy (CSP) configuration.
Set<String>	getGlobalDomainWhitelist() If a tenant enabled installation is in place (i.e.
Set<String>	getGlobalPrefixWhitelist() If a tenant enabled installation is in place (i.e.
String	getLoginPathOrUrl() Either the path portion only to the login page (e.g.
AuthorizationServerProperties.OAuth2	getOauth2()
String[]	getPrefixedDomainWhitelist() If a tenant enabled installation is in place (i.e.
int	hashCode()
boolean	isUseRedirectUriHost() Deprecated.
void	setContentSecurityPolicy(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy) Properties pertaining to Content Security Policy (CSP) configuration.
void	setGlobalDomainWhitelist(Set<String> globalDomainWhitelist) If a tenant enabled installation is in place (i.e.
void	setGlobalPrefixWhitelist(Set<String> globalPrefixWhitelist) If a tenant enabled installation is in place (i.e.
void	setLoginPathOrUrl(String loginPathOrUrl) Either the path portion only to the login page (e.g.
void	setOauth2(AuthorizationServerProperties.OAuth2 oauth2)
void	setPrefixedDomainWhitelist(String[] prefixedDomainWhitelist) If a tenant enabled installation is in place (i.e.
void	setUseRedirectUriHost(boolean useRedirectUriHost) Deprecated.
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

AuthorizationServerProperties

public AuthorizationServerProperties()

Method Detail

getOauth2

public AuthorizationServerProperties.OAuth2 getOauth2()

isUseRedirectUriHost

@Deprecated
public boolean isUseRedirectUriHost()

Deprecated.

This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

getPrefixedDomainWhitelist

public String[] getPrefixedDomainWhitelist()

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.

getLoginPathOrUrl

public String getLoginPathOrUrl()

Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.

getGlobalDomainWhitelist

public Set<String> getGlobalDomainWhitelist()

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

getGlobalPrefixWhitelist

public Set<String> getGlobalPrefixWhitelist()

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

getContentSecurityPolicy

public AuthorizationServerProperties.ContentSecurityPolicyProperties getContentSecurityPolicy()

Properties pertaining to Content Security Policy (CSP) configuration.

setOauth2

public void setOauth2(AuthorizationServerProperties.OAuth2 oauth2)

setUseRedirectUriHost

@Deprecated
public void setUseRedirectUriHost(boolean useRedirectUriHost)

Deprecated.

This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

setPrefixedDomainWhitelist

public void setPrefixedDomainWhitelist(String[] prefixedDomainWhitelist)

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.

setLoginPathOrUrl

public void setLoginPathOrUrl(String loginPathOrUrl)

Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.

setGlobalDomainWhitelist

public void setGlobalDomainWhitelist(Set<String> globalDomainWhitelist)

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

setGlobalPrefixWhitelist

public void setGlobalPrefixWhitelist(Set<String> globalPrefixWhitelist)

If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

setContentSecurityPolicy

public void setContentSecurityPolicy(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy)

Properties pertaining to Content Security Policy (CSP) configuration.

equals

public boolean equals(Object o)

Overrides:

equals in class Object

canEqual

protected boolean canEqual(Object other)

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

Overrides:

toString in class Object