Package com.broadleafcommerce.resource.security

Interface SecurityEnhancer

  • @Order(0)
public interface SecurityEnhancer
    Impact the HttpSecurity setup before a ResourceServerConfigurerAdapter is invoked for final endpoint security configuration. This is especially useful with request matchers for authentication requirements. For example, often the configuration extending from an adapter implementation like ResourceServerConfigurerAdapter (e.g. Broadleaf's OAuth2SecurityConfig) includes a blanket request security requirement like: 

         http.authorizeRequests().antMatchers("/**").authenticated();

    However, an individual resource tier service may want to allow a certain endpoint call to utilize anonymous authentication. A bean class implementing SecurityEnhancer could achieve this goal by providing configuration like so: 

         http.authorizeRequests().antMatchers("/content/**").permitAll();

    The SecurityEnhancer's configuration will be put into place before the adapter's configuration, and will therefore take precedence.

    Note, SecurityEnhancer is useful when you want to contribute tweaks to an otherwise configured security system. If you prefer to configure security from scratch, you can omit the out-of-the-box Broadleaf security library dependency, or configure the Broadleaf security autoconfiguration to be ignored. Moreover, if Broadleaf has included a SecurityEnhancer component that you wish to override, you may simply introduce a new SecurityEnhancer bean with the different, desired configuration and use a Order annotation of higher precedence.

    Finally, note that Spring Security itself is unaware of SecurityEnhancer. To take advantage of SecurityEnhancer, a ResourceServerConfigurerAdapter style component must be present that utilizes any SecurityEnhancer beans currently available. Broadleaf's OAuth2SecurityConfig is an example of this for the out-of-the-box OAuth2 security configuration.

    Author:
    Jeff Fischer

    • Method Detail

      • configure

        void configure​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
        throws Exception
        Throws:
        Exception