Security

In this section you will learn about the security aspects implemented by bootsaas.

Authentication

There are currently 2 ways provided for authenticating users

With login form, i.e email and password

With one of the following oauth2 providers: google, facebook, github, okta

There are pages already implemented for handling user login, with 2 added buttons, google and github.

You can easily customize the page and add or remove providers

To make the email and password authentication work, you don't have to do anything. Only requirement is that your database is up and your schema is correct, which should be done automatically. (you should turn off ddl-auto property once you go to prod, and manage your schema in some other way, like flyway or liquibase)

For oauth2 logins to work, you need to provide the secret and key of each provider you intend to use.

If you want to use google you should populate these properties in application.properties

spring.security.oauth2.client.registration.google.client-idspring.security.oauth2.client.registration.google.client-secret

And that's it, you only need to add the buttons to the login page. But make sure the buttons use the correct path. There is a function I created for that: getProviderLoginUrl(providerName)

Authentication is managed via session (stateful), you don't need to worry about passing a jwt token to the backend, cookies will be sent automatically.

CSRF protection is implemented, httpClient (axios) will automatically include the X-XSRF token in each request as well so you don't need to worry about that either. In the root layout we have a call to get a csrf to make sure we have the token as soon as we load the app.

Authorization

Authorization is managed via roles, and there are 4 roles implemented:

USER

ADMIN

ORG_ADMIN

DEVELOPER

Note!

Authorization is a vital part of many applications and there is no 'one size fits all' solution. Bootsaas provides a good starting point.

USER is a role that is assigned to every user, as such doesn't have any special permissions, any user that is authenticated will have this role.

ADMIN is a role that should only be assigned to a global admin, such as yourself. In the starter users with ADMIN role have access to things like orders, and products that are not accessible to other roles.

ORG_ADMIN is a role that should be assigned to an admin of an organization. Organization admins can invite other users to an organization and make changes to an organization, which are not accessible to normal USER roles.

DEVELOPER is a role that should be assigned to a developer. There is nothing specific implemented for this role.

These are all very customizable, you can decide how to use the roles yourself, add more of them, or disregard them completely

I've implemented the permission checks in the service layer, separately for each actions because that is the way I prefer it, but you can use those AOP method level annotations or whatever other strategy from spring security you preffer.

LINKSHome Documentation Pricing Tutorials

LEGALTerms of Service Privacy policy