Class AuthorizationServerProperties
- Author:
- Phillip Verheyden (phillipuniverse), Jeff Fischer, Nick Crum (ncrum)
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Properties configuring the behavior ofContentSecurityPolicyConfigurer
.static class
static class
static enum
If enabled, this should be the value to use for the directive. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
boolean
Properties pertaining to Content Security Policy (CSP) configuration.Properties pertaining to dispatcher type authorization configuration.Determines the value and presence of the X-Frame-Options header.If a tenant enabled installation is in place (i.e.If a tenant enabled installation is in place (i.e.Either the path portion only to the login page (e.g.The name of the parameter that indicates the URI to where the user should be forwarded after successful logout.String[]
If a tenant enabled installation is in place (i.e.int
hashCode()
boolean
Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled.boolean
Deprecated.void
setContentSecurityPolicy
(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy) Properties pertaining to Content Security Policy (CSP) configuration.void
setDispatcherTypeAuthorization
(AuthorizationServerProperties.DispatcherTypeAuthorizationProperties dispatcherTypeAuthorization) Properties pertaining to dispatcher type authorization configuration.void
Determines the value and presence of the X-Frame-Options header.void
setGlobalDomainWhitelist
(Set<String> globalDomainWhitelist) If a tenant enabled installation is in place (i.e.void
setGlobalPrefixWhitelist
(Set<String> globalPrefixWhitelist) If a tenant enabled installation is in place (i.e.void
setLoginPathOrUrl
(String loginPathOrUrl) Either the path portion only to the login page (e.g.void
setLogoutRedirectParameter
(String logoutRedirectParameter) The name of the parameter that indicates the URI to where the user should be forwarded after successful logout.void
void
setPkceEnabled
(boolean pkceEnabled) Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled.void
setPrefixedDomainWhitelist
(String[] prefixedDomainWhitelist) If a tenant enabled installation is in place (i.e.void
setUseRedirectUriHost
(boolean useRedirectUriHost) Deprecated.toString()
-
Constructor Details
-
AuthorizationServerProperties
public AuthorizationServerProperties()
-
-
Method Details
-
getOauth2
-
isUseRedirectUriHost
Deprecated.This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.Note, when false, it may be necessary to configure a
ForwardedHeaderFilter
in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does setX-FORWARDED-*
headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supportsX-FORWARDED-*
headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem. -
getPrefixedDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via theApplication.getIdentifierType()
ofResolutionIdentifierType.DOMAIN_PREFIX
. -
getLoginPathOrUrl
Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed. -
getGlobalDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names (e.g., all ofglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
getGlobalPrefixWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain name prefixes (e.g.,global
inglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
getContentSecurityPolicy
Properties pertaining to Content Security Policy (CSP) configuration. -
getDispatcherTypeAuthorization
public AuthorizationServerProperties.DispatcherTypeAuthorizationProperties getDispatcherTypeAuthorization()Properties pertaining to dispatcher type authorization configuration. -
getFrameOptions
Determines the value and presence of the X-Frame-Options header. -
isPkceEnabled
public boolean isPkceEnabled()Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here. -
getLogoutRedirectParameter
The name of the parameter that indicates the URI to where the user should be forwarded after successful logout. The parameter should be included in logout requests from clients utilizing refresh tokens, eg cross-site websites or embedded apps. -
setOauth2
-
setUseRedirectUriHost
Deprecated.This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.Note, when false, it may be necessary to configure a
ForwardedHeaderFilter
in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does setX-FORWARDED-*
headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supportsX-FORWARDED-*
headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem. -
setPrefixedDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via theApplication.getIdentifierType()
ofResolutionIdentifierType.DOMAIN_PREFIX
. -
setLoginPathOrUrl
Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed. -
setGlobalDomainWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain names (e.g., all ofglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
setGlobalPrefixWhitelist
If a tenant enabled installation is in place (i.e.broadleaf.auth.data.tenant.sync.active = true
), this list serves to declare the possible domain name prefixes (e.g.,global
inglobal.myCompany.com
) that can be used to validate a requested redirect uri that represents a global admin login. -
setContentSecurityPolicy
public void setContentSecurityPolicy(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy) Properties pertaining to Content Security Policy (CSP) configuration. -
setDispatcherTypeAuthorization
public void setDispatcherTypeAuthorization(AuthorizationServerProperties.DispatcherTypeAuthorizationProperties dispatcherTypeAuthorization) Properties pertaining to dispatcher type authorization configuration. -
setFrameOptions
Determines the value and presence of the X-Frame-Options header. -
setPkceEnabled
public void setPkceEnabled(boolean pkceEnabled) Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here. -
setLogoutRedirectParameter
The name of the parameter that indicates the URI to where the user should be forwarded after successful logout. The parameter should be included in logout requests from clients utilizing refresh tokens, eg cross-site websites or embedded apps. -
equals
-
canEqual
-
hashCode
public int hashCode() -
toString
-