Class AuthorizationServerProperties

java.lang.Object
com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerProperties

@Validated @ConfigurationProperties("broadleaf.auth.security") public class AuthorizationServerProperties extends Object
Author:
Phillip Verheyden (phillipuniverse), Jeff Fischer, Nick Crum (ncrum)
  • Constructor Details

    • AuthorizationServerProperties

      public AuthorizationServerProperties()
  • Method Details

    • getOauth2

    • isUseRedirectUriHost

      @Deprecated public boolean isUseRedirectUriHost()
      Deprecated.
      This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

      Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

    • getPrefixedDomainWhitelist

      public String[] getPrefixedDomainWhitelist()
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.
    • getLoginPathOrUrl

      public String getLoginPathOrUrl()
      Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.
    • getGlobalDomainWhitelist

      public Set<String> getGlobalDomainWhitelist()
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.
    • getGlobalPrefixWhitelist

      public Set<String> getGlobalPrefixWhitelist()
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.
    • getContentSecurityPolicy

      Properties pertaining to Content Security Policy (CSP) configuration.
    • getDispatcherTypeAuthorization

      Properties pertaining to dispatcher type authorization configuration.
    • getFrameOptions

      Determines the value and presence of the X-Frame-Options header.
    • isPkceEnabled

      public boolean isPkceEnabled()
      Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here.
    • getLogoutRedirectParameter

      @Nullable public String getLogoutRedirectParameter()
      The name of the parameter that indicates the URI to where the user should be forwarded after successful logout. The parameter should be included in logout requests from clients utilizing refresh tokens, eg cross-site websites or embedded apps.
    • setOauth2

      public void setOauth2(AuthorizationServerProperties.OAuth2 oauth2)
    • setUseRedirectUriHost

      @Deprecated public void setUseRedirectUriHost(boolean useRedirectUriHost)
      Deprecated.
      This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

      Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

    • setPrefixedDomainWhitelist

      public void setPrefixedDomainWhitelist(String[] prefixedDomainWhitelist)
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.
    • setLoginPathOrUrl

      public void setLoginPathOrUrl(String loginPathOrUrl)
      Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.
    • setGlobalDomainWhitelist

      public void setGlobalDomainWhitelist(Set<String> globalDomainWhitelist)
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.
    • setGlobalPrefixWhitelist

      public void setGlobalPrefixWhitelist(Set<String> globalPrefixWhitelist)
      If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.
    • setContentSecurityPolicy

      public void setContentSecurityPolicy(AuthorizationServerProperties.ContentSecurityPolicyProperties contentSecurityPolicy)
      Properties pertaining to Content Security Policy (CSP) configuration.
    • setDispatcherTypeAuthorization

      public void setDispatcherTypeAuthorization(AuthorizationServerProperties.DispatcherTypeAuthorizationProperties dispatcherTypeAuthorization)
      Properties pertaining to dispatcher type authorization configuration.
    • setFrameOptions

      public void setFrameOptions(AuthorizationServerProperties.XFrameOptionsMode frameOptions)
      Determines the value and presence of the X-Frame-Options header.
    • setPkceEnabled

      public void setPkceEnabled(boolean pkceEnabled)
      Whether the Proof-Key-for-Code-Exchange enhancement for the Authorization Code Flow should be enabled. Read more here.
    • setLogoutRedirectParameter

      public void setLogoutRedirectParameter(@Nullable String logoutRedirectParameter)
      The name of the parameter that indicates the URI to where the user should be forwarded after successful logout. The parameter should be included in logout requests from clients utilizing refresh tokens, eg cross-site websites or embedded apps.
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • canEqual

      protected boolean canEqual(Object other)
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • toString

      public String toString()
      Overrides:
      toString in class Object