All Classes and Interfaces
Class
Description
AbstractAuthenticationStrategyDelegate<T extends org.springframework.security.core.Authentication>
Abstract
AuthenticationStrategyDelegate
for converting OAuth2AuthenticationToken
to OAuth2UserDetails
.Implementation of
TokenEnhancer
that has a request scoped UserContext that contains the
current user to avoid repeated database reads.Contains constants that are used as keys for token claims for access tokens in
TokenEnhancers
.Common functionality for evaluating account access
Responsible for validating and adding the "acct_id" claim to the token.
Exception thrown when an attempt reset password is blocked due to a user account being locked.
Spring cloud data channel description for messaging input.
Listens to
AccountMemberRoleChangeRequest
messages and delegates them to the
AccountMemberRoleChangeRequestHandler
.Data about AccountMember role updates.
Handles
AccountMemberRoleChangeRequest
.Methods to read and update
AccountRoles
.Spring cloud data channel description for messaging input.
Listens to
CustomerAccountUpdateRequest
messages and delegates them to the
AccountUpdateRequestHandler
.Handle
CustomerAccountUpdateRequest
messages.Specific messaging contract for sending in admin permission updates.
Spring cloud data channel description for messaging input.
Handles messages from the Persistence channel for
AdminPermission
data to update
UserPermission
.Specific messaging contract for permission references by entities.
Specific messaging contract for restricted permission references by entities.
Specific messaging contract for restricted role references by entities.
Specific messaging contract for restriction references by entities.
Specific messaging contract for sending in admin role updates.
Spring cloud data channel description for messaging input.
Specific messaging contract for role references by entities.
Specific messaging contract for sending in user updates.
Spring cloud data channel description for messaging input.
Projection domain representing a subset of information provided by
Application
.A DTO intended to hold just the applicationId of a user-application relationship.
Handle persistence operations related to
Applications
Perform CRUD operations using the
Application
projection domain.Supply the anonymization related endpoint to the service.
Controls anonymization behavior for the auth service
Properties that influence cache settings for the auth service
Properties used for encrypted columns.
Template entity for storing auth codes.
Spring cloud data channel description for messaging input.
Handles messages from the Persistence channel for other services that can impact the data in the
authentication service, such as roles, permissions, and users.
Spring Boot default property overrides for this service
A message event dispatched after authentication events occur.
Class used for mapping an exception to a redirect URI.
Default
AuthenticationEvent
message typesUsed by the
DefaultSessionAuthenticationStrategy
to convert Authentication
from
various sources into OAuth2UserDetails
.General exception handler registry for handlers not exclusive to a single controller.
Responsible for configuring the setup for internationalization support.
This is a customized version of
AuthorizationCodeTokenGranter
that helps support the
Proof-Key-for-Code-Exchange enhancement to the Authorization Code Grant flow.Configuration properties for
AuthorizationRequestRepository
/BroadleafAuthorizationRequestRepository
.A holder for
OAuth2AuthorizationRequest
data, with a field for the Broadleaf Client IdAn authorization server responsible for authenticating users.
Set up OAuth specific items.
Properties configuring the behavior of
ContentSecurityPolicyConfigurer
.Represents the configuration for a particular 'directive' (ex: should 'default-src' be
provided, and what should its value be?).
If enabled, this should be the value to use for the directive.
Service interface for managing authorization servers.
Set up the spring security configuration for our OAuth server
Represents the authorization service concept of an authorized client.
Validator targeting
AuthorizationServer
Service interface for managing
AuthorizedClient
.
Spring cloud data channel description for messaging input.
Configuration properties for special behavior on user registration.
Web configuration for the resource side of the auth server
Service responsible for creating
authorization servers
and
clients
when a new application
is created.Validator targeting
AuthorizationServer
Configuration for engaging default Broadleaf support for Apache Ignite cache
Auth-specific configuration for entity validations.
Common configuration used to set up the token services and converters for the authorization
server.
Configures the common service layer that applies to both the resource and authorization server
concerns
Autoconfiguration for the username/password login functionality
Handler for the
AuthPersistenceConsumer
channel that specializes in replicating persisted
Application
domain information
into a subset of that information embodied in the Application
domain.Customization of default translation post mapper member to support translations in auth.
Simple implementation of a
SavedRequest
.Save and load
OAuth2AuthorizationRequest
from a cookie.This enhances the
ClientRegistrationRepository
interface to enable users to get all
ClientRegistrations at once.This is added to the
OAuth2LoginAuthenticationToken
and used by the
DefaultSessionAuthenticationStrategy
to create cookies after authentication.Classes that implement this interface will be exposed to the Thymeleaf expression evaluation
context.
Represents the data needed to send a notification after an account user submits a cart requiring
approval.
Represents a summary of an Approver User.
Spring cloud data channel description for messaging input.
Component responsible for handling
CartApprovalRequestEvents
.Spring cloud data channel description for messaging output.
This form backs the change password HTML form as a DTO.
Validator that runs through the fields in the
ChangePasswordForm
and ensures correctness.Represents a request to remove a customer segment from multiple users.
Endpoint used for the discovery of authorized client details.
Properties for configuring identity providers for different clients, i.e., admin or commerce
client, during a user authorization flow.
This filter helps with the 3rd Party OAuth Server functionality, where this app is acting as an
OAuth2 Client to a 3rd party OAuth service.
Service used for returning redirects for a client and/or server
This service is intended to provide
OAuthClientRegistrationWrapper
objects built from
OAuth2ClientProperties
defined through application properties.Indicates that a request was missing a client ID, the client could not be found, or the client
does not allow the type of request received.
Responsible for configuring Content Security Policy (CSP) for
AuthorizationServerWebSecurityConfiguration
.This interface is intended to encapsulate functionality for accessing client id and tenant id
from the request context.
Utility class to assist with storing and retrieving request parameters from request attributes.
Alternative storage mechanism for an original destination before being redirected for login.
Basic cookie functionality shared by
DefaultOAuth2AuthorizedClientRepository
and
BroadleafAuthorizationRequestRepository
A subset of customer information that we're concerned with from Customer Service.
Links an account id to its parent account id.
Endpoint for reading account roles from a customer facing perspective.
Service for managing
CustomerAccounts
.Data about the account status change
Enhances tokens with the "customer_context_ids" claim.
Enhances a token with the IDs of CustomerSegments that the User is a member of if they are
present in the User attributes map.
Additional functionality necessary for
RoleRepository
.Additional functionality necessary for
UserPermissionRepository
.Additional functionality necessary for
UserRepository
.Respond to
AccountMemberRoleChangeRequest
to update User roles when an Account Member's
roles are updated.DefaultAccountRoleService<P extends AccountRole,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
Process an
CustomerAccountUpdateRequest
to respond to updates of an account's status or
parent.DefaultApplicationService<P extends Application,D extends com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable & com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware>
Implementation of
AuthorizationCodeServices
that better handles our AuthCode
domain compared to the Spring provided JdbcAuthorizationCodeServices
.DefaultAuthorizationServerService<P extends AuthorizationServer,D extends com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable & com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware>
DefaultAuthorizedClientService<P extends AuthorizedClient,D extends com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable & com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware>
Default authorization server properties to use when creating an authorization server and
authorized clients.
Provides
ClientRegistration
objects to the OAuth2 Client beans.
Verifies the JWT token being utilized at the resource tier (during the JWT decode) contains the
claims issued from the authorization service.
This service provides
OAuthClientRegistrationWrapper
objects built from
OAuth2ClientProperties
defined through application properties.DefaultCustomerAccountService<P extends CustomerAccount,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
Default implementation of
ImpersonationRequestValidator
that validates that the CSR has
authority to impersonate, the impersonated target exists, and that the impersonated target has
chosen to allow impersonation.The seed-data for the default master global admin user.
This service stores an
OAuth2AuthorizedClient
as a Base64 encoded value in a cookie.This class holds the necessary fields for saving and loading
OAuth2AuthorizedClient
.An
OAuth2SessionToken
that holds the claims within a HashMap
.An
OAuth2UserDetailsService
implementation that uses the UserService
for loading
users by clientId and username.Provides a
BroadleafOAuthClientAuthenticationDetails
to the
OAuth2LoginAuthenticationFilter
during authentication.DefaultOAuthClientRegistrationPersistenceService<P extends OAuthClientRegistrationWrapper,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
Interacts with the
OAuthClientRegistrationRepository
to read domain objects and map them
to the projection OAuthClientRegistrationWrapper
Basic implementation that will try to handle any
OAuth2AuthenticationToken
.Add a new token wrapper type that allows keeping track of the id for the original ancestor
refresh token.
DefaultPasscodeService<P extends PasswordToken,U extends User,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
An intermediary data structure used internally by
PrivilegeService
to hold all the
restrictions, flat permissions, restricted roles, and restricted permissions of a user entity
and permissions from a server entity
to prevent
querying the data multiple times.Based on
DefaultTokenServices
.A specialized
TokenStore
concept used to support the refresh token rotation concept in
Broadleaf.Default implementation of the security service that utilizes the security context and various
repositories in order to assess the user's privileges.
This is used to set the session cookie after successful authentication.
A camel cluster service instance that will periodically execute
RotatableTokenStore.cleanupBatch(String, int)
calls against the datastore.DefaultUserLoginAttemptService<P extends UserLoginAttempt,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
DefaultUserPasswordService<P extends PasswordToken,U extends User,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
DefaultUserPermissionService<P extends UserPermission,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
DefaultUserRoleService<P extends UserRole,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
DefaultUserService<P extends User,D extends com.broadleafcommerce.data.tracking.core.mapping.BusinessTypeAware & com.broadleafcommerce.data.tracking.core.mapping.ModelMapperMappable>
Default user types managed within this service
Represents a request to get an email with a link to reset a user's password.
Processes an authentication form submission from an embedded login form.
An
AuthenticationProvider
that retrieves OAuth2UserDetails
from a
OAuth2UserDetailsService
for use with embedded login.Writes a One-Time Passcode to the response on Embedded Login success.
An
Authentication
implementation that is designed for simple presentation of an OAuth2
clientId, username, and password.Indicates that there was an attempt to login a user using embedded login when the
AuthorizationServer
receiving the request did not allow embedded login.Thrown if there is a problem writing the One-Time Passcode to the embedded login response.
Authenticates the user for the
TokenEndpoint
based on a one-time
passcode parameter.Authentication Filter for the
TokenEndpoint
when using Embedded
Login.Matches requests based on destination and parameters.
Authentication Token for the
TokenEndpoint
when using Embedded
Login.Used for token requests where there is an
EmbeddedLoginTokenEndpointAuthenticationToken
in the security context.Indicates that there was an attempt to register a user using embedded registration when the
AuthorizationServer
receiving the request did not allow embedded registration.Converter used to encrypt a string when persisted and decrypt it when read.
Runs as a Liquibase change set.
The default implementation of
TenantUrlResolver
, which makes external calls to the tenant
service for URL resolution of applications and tenant admins.Properties used by
ExternalTenantUrlResolver
to determine the paths at which to make
requests for admin and application URL resolution.Processes an authentication form submission for an OAuth2 Authorization Server for Universal
Login.
An
AuthenticationProvider
that retrieves OAuth2UserDetails
from a
OAuth2UserDetailsService
for use with Universal Login.An
Authentication
implementation that is designed for simple presentation of an OAuth2
clientId, username, and password.Maps
OAuth2AuthenticationToken
from Github to OAuth2UserDetails
.Maps
OAuth2AuthenticationToken
from Google to OAuth2UserDetails
.Strategy for enhancing an
OAuth2SessionToken
claims before it is stored as an HTTP-only
cookie.The initial impersonation request.
The values resolved from an
ImpersonationRequest
after redirect and token validation.Validation interface for validation the impersonation of a user in the
ImpersonationEndpoint
.Service providing various methods related to the impersonation flow.
An implementation of
TokenEnhancer
that copies claims from the current CSR's
Authentication.getDetails()
to the access token claims.Exception that is thrown in the event that some operation is being performed with a user, but the
application context is incompatible.
Exception that is thrown when an invalid application ID is supplied in an operation involving the
user-application relationship.
Exception thrown when attempting to archive or delete a
UserRole
which has descendants
still pointing to it as a parent.An entity holding information about an application registered via the tenant service
Handle persistence operations related to
JpaApplication
Additional functionality necessary for
JpaRoleRepository
.Additional functionality necessary for
JpaUserPermissionRepository
.JPA Representation of a
ClientRegistration.ProviderDetails
JPA representation of a
ClientRegistration
with a tenant id.JPA Shard partition for recording a refresh token assignment
JPA Shard partition for recording a refresh token assignment
JPA Shard partition for recording a refresh token assignment
JPA Shard partition for recording a refresh token assignment
JPA Shard partition for recording a refresh token assignment
JPA Shard partition for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA Shard partition repository for recording a refresh token assignment
JPA-specific repository for persisted counterparts of
UserRole
.Persisted counterpart for a
User
.Persistent version of
UserHistoricalPassword
.JPA-specific repository for persisted counterparts of
UserPermission
.Provides a behavior consistent with
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest.
Configuration properties for
OAuth2AuthorizedClientRepository
/DefaultOAuth2AuthorizedClientRepository
.The sole purpose of this Template Engine is to add the current request's `client_id` param to the
`resolutionAttributes` of the
TemplateSpec
.Represents a configured identity provider to be shown as a model attribute in a Thymeleaf
template.
Processes an OAuth2 client session
Cookie
to establish an authentication user.An
AuthenticationProvider
that authenticates a user using a
OAuth2SessionAuthenticationToken
.An
Authentication
implementation that is designed for simple presentation of an OAuth2
clientId, and JWT session token.The holder of the claims associated with a user's session.
Filter intended to run after the
OAuth2SessionAuthenticationFilter
or
BasicAuthenticationFilter
for requests against the TokenEndpoint
.Configures the
DefaultOAuth2UserDetailsService
which is used for loading
OAuth2UserDetails
by clientId and username.Core interface which loads user-specific data for a certain OAuth2 client.
Beans to support acting as an OAuth Client for 3rd party authentication
Beans to support our custom
ClientRegistrationRepository
backed by
DefaultOAuthClientRegistrationPersistenceService
Configuration to support encrypting entity fields via
EncryptedFieldConverter
.Override of the default
LiquibaseAutoConfiguration.LiquibaseConfiguration
to autowire the
authClientPersistenceKey bean and set it to
EncryptionMigrationTask.setSecretKey(javax.crypto.SecretKey)
.Service responsible for CRUD operations related to
OAuthClientRegistrationWrapper
.A wrapper for
ClientRegistration.ProviderDetails
to allow correspondence with a
persistent version of the same.A non-static wrapper around
ClientRegistrations
used to make testing easier.Wrapper for
ClientRegistration
.Validate that a
OAuthClientRegistrationWrapper
has a registration id, client id, and
client secretHandles messages from the Persistence channel, asserting that they contain operation type, id,
and timestamp information.
Token enhancer to add the value
oid
to the token, if it exists.Thrown when there is an exception during Passcode consumption
This service provides methods for creating and consuming random passcodes.
This validator uses regex to validate new passwords for registration and password resets.
This validator performs various checks on the validity of a password token compared to that of a
set of password tokens that belong to a user.
The result of validating a password against rules defined within
PasswordRequestValidator
Any of the validations that use regex may be "disabled" by changing the regex to match anything:
^.*$
or nothing: ^$
(e.g., for whitespace or repeated characters)The seed data permissions will be defined here.
Convenience methods used for processing permissions and authorities
A service that contains various utility functions related to
Restriction
,
RestrictedRole
, and RestrictedPermission
.A data structure used by
DefaultOAuth2UserDetailsService
and PrivilegeService
to
hold all the authorities, restrictions, and restricted authorities of a User
.Represents a rotatable refresh token assignment.
General interface for all repositories supporting shard paritioned refresh token assignment
Token enhancer that adds several
registered JWT claims, such as
issuer and audience, as well as a non-standard "max" claim that determines the maximum lifetime
of a token.
REST controller for supporting embedded registration.
Controller for supporting form-based registration for Universal Login.
Intended to be used within a
JsonView
to demarcate which properties are accepted in a
request from external (e.g.Exception to be used when a failure occurs somewhere in the reset password flow for a user.
This form backs the password reset HTML form as a DTO.
Interface for validation of a
ResetPasswordForm
.Intended to be used within a
JsonView
to demarcate which properties serialized in the
response from and endpointRepresent a permission a user has access to only within specific segment(s) of data.
Represent a role a user has access to only within specific segment(s) of data.
A DTO used to represent a restriction on the data in which a user has access.
Revoke refresh token on logout if provided.
The seed data roles will be defined here.
Repository for persisted counterparts of
UserRole
.A specialized
TokenStore
concept used to support the refresh token rotation concept in
Broadleaf.Service used during the authorization flow to assess the privileges of the current user in order
to filter the requested scopes or retrieve the permissions for an access token.
Converts the access token using the defaults within
DefaultAccessTokenConverter
and then
extracts the narrowed set of permissions using SecurityService.extractPermissions(Set)
in
order to restrict the set of delegated authorities to the set of requested scopes.Auto-configuration that registers the
DefaultSecurityService
bean.A custom request factory implementation that utilizes
SecurityService
to check that the
requested scopes are valid for the request and current user.
Spring cloud data channel description for messaging input.
Handles creation and deletes of customer segment/customer relationships.
Contains constants that are used as keys for token claims for session tokens in
TokenEnhancers
.Though these are used in
OAuth2SessionToken
, some of these claims are also used in
access tokens.Contains properties dictating SSL verification.
Utility for JWT-based cookies - specifically those intended to drive stateless behavior, such as
stateless sessions.
Properties to configure behavior of
StatelessUtil
/StatelessUtilImpl
.Token enhancer to add the values "tenant_access", "application_access", "tenant_id" and
"application_ids" to the token, if they exist.
Responsible for resolving the base URL at which an application or admin is served given the ID of
an application or tenant.
Configuration for the
TenantUrlResolver
.Configuration specific to the token handling in the auth service
Convenience methods for common operations when enhancing tokens.
Setup spring data repositories and entities for refresh token related domain
Configuration properties for refresh token rotation handling
A generation strategy that generates a ULID for a primary key.
A DTO matching the expected structure of a URL resolution response from the tenant service.
Represents a user which can authenticate with this service.
Endpoint for retrieving information about the currently authenticated user
Updates PII fields for the
User
domain.Spring cloud data channel description for messaging input.
Listens to user claims request events and delegates them to the
UserAttributesRequestHandler
.A request DTO to adjust the attributes on a particular
User
.Add additional attributes to a
User
Intended for use as a request scoped bean to be utilized by
TokenEnhancers
that need
to read the currently authenticated user.A message event dispatched when a user is registered within the system.
The seed data users will be defined here.
Endpoints for CRUD operations on User.
Represents a historical user password including useful metadata such as the date it was created
to allow enforcing user password policies such as not allowing them to set a new password that is
the same as one they used within the last three months.
Endpoint for retrieving information about the currently authenticated user
Optional properties when handling user lockout due to failed login attempts.
Service responsible for handling login attempts.
Represents a login attempt by a user
Service for managing user login attempts.
Properties for authentication controllers
Service for doing user authentication actions
This validator uses regex to validate usernames.
Thrown when login fails because the user is not marked as active.
The API domain that represents a scope and operation types a user has access to on that scope.
Payload describing the
operations
a user is allowed to perform.Service API for
UserOperation
.Used to convert a
List
of HistoricalPasswords
to a
serialized JSON object string representation for persistence and vice-versa.Properties to configure certain password settings.
Endpoint for CRUD operations on UserPermissions
An alternative DTO object to use for the specific use case of being an element in collection
fields of parent entities.
Repository for persisted counterparts of
UserPermission
.Provides CRUD management operations on
UserPermission
.Validations for
UserPermission
.Representation of a registration from the frontend
Spring cloud data channel description for messaging output.
Registers new users into the user data store
Hook point for
User.setType(String)
when creating new users from the
UserRegistrationService
.Token enhancer that includes user restrictions and restricted authorities within the token.
Returned by
UserRoleAncestryHydrationService
in response to hydration requests.A
UserRole
can have ancestors, starting with its direct parent defined in
UserRole.parentRoleId
up to the top-level ancestor.Endpoint for CRUD operations on UserRoles
An alternative DTO object to use for the specific use case of being an element in collection
fields of parent entities.
Validations for
UserRole
.Token enhancer that puts various relevant user data into the token's
OAuth2AccessToken.getAdditionalInformation()
.Default possible values for
User.type
.Output channel used when a
User
update occurs.Validations for
User
.This filter is for verifying that there's a saved redirect cookie on the request for certain
URIs.
Properties used for
VerifyRedirectCookieFilter