Class AuthorizationServerProperties
- Author:
- Phillip Verheyden (phillipuniverse), Jeff Fischer, Nick Crum (ncrum)
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Properties configuring the behavior ofContentSecurityPolicyConfigurer
.static class
static enum
If enabled, this should be the value to use for the directive. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
boolean
Properties pertaining to Content Security Policy (CSP) configuration.Determines the value and presence of the X-Frame-Options header.If a tenant enabled installation is in place (i.e.If a tenant enabled installation is in place (i.e.Either the path portion only to the login page (e.g.String[]
If a tenant enabled installation is in place (i.e.int
hashCode()
boolean
Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled.boolean
Deprecated.void
setContentSecurityPolicy
(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy) Properties pertaining to Content Security Policy (CSP) configuration.void
Determines the value and presence of the X-Frame-Options header.void
setGlobalDomainWhitelist
(Set<String> globalDomainWhitelist) If a tenant enabled installation is in place (i.e.void
setGlobalPrefixWhitelist
(Set<String> globalPrefixWhitelist) If a tenant enabled installation is in place (i.e.void
setLoginPathOrUrl
(String loginPathOrUrl) Either the path portion only to the login page (e.g.void
void
setPkceEnabled
(boolean pkceEnabled) Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled.void
setPrefixedDomainWhitelist
(String[] prefixedDomainWhitelist) If a tenant enabled installation is in place (i.e.void
setUseRedirectUriHost
(boolean useRedirectUriHost) Deprecated.toString()
-
Constructor Details
-
AuthorizationServerProperties
public AuthorizationServerProperties()
-
-
Method Details
-
getOauth2
-
isUseRedirectUriHost
Deprecated.This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.Note, when false, it may be necessary to configure a
ForwardedHeaderFilter
in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does setX-FORWARDED-*
headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supportsX-FORWARDED-*
headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem. -
getPrefixedDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via theApplication.getIdentifierType()
ofResolutionIdentifierType.DOMAIN_PREFIX
. -
getLoginPathOrUrl
Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed. -
getGlobalDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names (e.g., all ofglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
getGlobalPrefixWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain name prefixes (e.g.,global
inglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
getContentSecurityPolicy
Properties pertaining to Content Security Policy (CSP) configuration. -
getFrameOptions
Determines the value and presence of the X-Frame-Options header. -
isPkceEnabled
public boolean isPkceEnabled()Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here. -
setOauth2
-
setUseRedirectUriHost
Deprecated.This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.Note, when false, it may be necessary to configure a
ForwardedHeaderFilter
in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does setX-FORWARDED-*
headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supportsX-FORWARDED-*
headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem. -
setPrefixedDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via theApplication.getIdentifierType()
ofResolutionIdentifierType.DOMAIN_PREFIX
. -
setLoginPathOrUrl
Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed. -
setGlobalDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names (e.g., all ofglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
setGlobalPrefixWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain name prefixes (e.g.,global
inglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
setContentSecurityPolicy
public void setContentSecurityPolicy(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy) Properties pertaining to Content Security Policy (CSP) configuration. -
setFrameOptions
Determines the value and presence of the X-Frame-Options header. -
setPkceEnabled
public void setPkceEnabled(boolean pkceEnabled) Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here. -
equals
-
canEqual
-
hashCode
public int hashCode() -
toString
-