Security Customize

Security Considerations

Security - Authentication & Authorization

Security authentication verifies a user's identity, while authorization determines what that verified user is allowed to do or what he can access.

Security - RBAC (Role-Based Access Control)

Role-based access control (RBAC) is a model for authorizing end-user access to resources, operations and data based on roles.

Security RBAC for CRUD (Role-Based Access Control for Create, Read, Update, Delete) is a security model that assigns permissions for data operations (Create, Read, Update, Delete) to specific user roles.

RBAC, Roles, Permissions, Users

• Default Roles & Users:

Role	Description
USER	User Role
ADMIN	Admin Role
SUADMIN	Super Admin Role

• SUADMIN Role, Will be used for adding users, roles and setting permissions.

• Default Users & Roles Assigned :

User	Roles Assigned
emUser	USER
emAdmin	USER, ADMIN
emSuAdmin	SUADMIN

• For Roles, EasyManage sets generic permissions for CRUD operations on all tables (objects), as per below:

• Roles Vs CRUD Ops Permissions

Role	Read	Create	Update	Delete
USER	✅	✅	✅	-
ADMIN		✅	✅	✅

Security Scope For Spring Java Stack

Security Configuration Applicability

AI Agents Products Available Methods

Security Method	Agents & Dashboard	Agent Server + MCP Server REST	Backend APIs
Basic Auth [InMemoryUserDetails]	Sends Basic Auth (Fixed User)	Authenticate	Authenticate & Authorize as per Role
OAuth2 [Authorization Server]	Sends Bearer Token (Fixed User)	Authenticate	Authenticate & Authorize as per Role

Note:

• The current implementation is for Fixed User, kind of equiv to API Key Authentication.
• For Security Configuration Agent Server + MCP Server REST is used. You can low-code customize to use MCP Server GraphQL instead.

AI Agents Products Security Implementing

Security Method	Agents & Dashboard	Agent Server + MCP Server	Backend APIs
Basic Auth [InMemoryUserDetails]	No-Code	Low-Code Customize Combine projects	No-Code
OAuth2 [Authorization Server]	No-Code	Low-Code Customize Combine projects	No-Code

• Follow tutorial section Combine MCP Server with AI Agents

• OAuth2 Resource Server JWT (JSON Web Token) Issuer: Keycloak : Setup Using Template project provided. See Templates Screens: Backend Templates

Backend Products Available Methods

Security Configuration applicability for Spring Java Stack.

Security Method	Backend
Basic Auth [InMemoryUserDetails]	Spring Security
Basic Auth [DatabaseBackedUserDetails]	Spring Security
OAuth2 [Authorization Server]	OAuth2 Resource Server
OAuth2 [Authorization Server + OAuth2 Client For Web Apps]	OAuth2 Resource Server + OAuth2 Client
OAuth2 [Authorization Server + OAuth2 Client For BFF Auth APIs]	OAuth2 Resource Server + OAuth2 Client

• For OAuth2 Resource Server JWT (JSON Web Token) Issuer: Keycloak

  • Can edit in application.properties

• Please also see: App Security Configuration: Secure With OAuth2

Security - AI Agents Products

Set/Enable In-built Authentication & Authorization via one of the methods below:

Out-Of-Box Available Methods

• Basic Auth [InMemoryUserDetails] Secure with Basic Auth Fixed User:

  • Agents Dashboard → Agent Server + MCP Server → Backend APIs
  • Configure Agents Dashboard settings: Auth Type "BA", your Basic Auth username and password.
  • Basic Auth is sent in header when calling Agent Server.
  • "Authorization": "Basic token"

• OAuth2 [Authorization Server] Secure with Bearer Token For Fixed User:

  • Agents Dashboard → Agent Server + MCP Server → Backend APIs
  • Configure Agents Dashboard settings: Auth Type "OAuth2", your Bearer token. Make sure to put token with longer validity.
  • Bearer Token is sent in header when calling Agent Server.
  • "Authorization": "Bearer token"

Note: For these methods, Auth User Role is taken as per:

- emUser - Role: USER
- emAdmin - Role: ADMIN

Security - Backend Spring Java

Authentication & Authorization is provisioned or can be sought from third party authentication services.

Set/Enable In-built Authentication & Authorization via one of the methods below:

Out-Of-Box Available Methods

• Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.
  • Enable Security in Backend APIs. Set frontend to backend secure calling. No User Level Sign-In.
• Method B : Backend API Secure with Basic Auth [DatabaseBackedUserDetails], Frontend Secure
  • Enable Security in Backend APIs and Frontend. Get screens Splash, Sign-Up, Sign-In.
  • Backend: Authentication with a Database-backed UserDetailsService
• OAuth2 Keycloak Backend API Secure with OAuth2 and Keycloak Server
  • Backend API Secure with OAuth2 JWT (JSON Web Token)

Methods With Help of Templates

Methods Available with EasyManage Templates : Backend Templates

• Backend Spring Java Security With

  • Social (Google, Github, ...)

• Pease refer to Security section of Backend Templates

DIY Methods

• Method : (DIY) Secure with Firebase Auth, Backend API Secure, Frontend Secure
  • Enable Security in Backend APIs and Frontend via provider Firebase Auth.

Out-Of-Box Available Low-Code Methods: How To Use ?

Details are provided below for Methods A, B. Other methods are DIY (Do-It-Yourself).

Security - Backend Spring Java and Frontend Flutter

Method A : Backend and Frontend (Now No-Code)

(Note: Previously was Low-Code, Now it's Available as No-Code via Builder Studio Configuration)

Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.

• Enable Security in Backend APIs. Set frontend to backend secure calling. Get screens Splash, Sign-In.
• Handling of Authorizations as per Roles ROLE_USER, ROLE_ADMIN is done by backend APIs. Frontend will perform the action and show access error, if received from APIs.

Method B : Backend and Frontend Changes

Method B : Backend API Secure with Basic Auth [DatabaseBackedUserDetails], Frontend Secure

• Enable Security in Backend APIs and Frontend. Get screens Splash, Sign-In, Sign-Up.
• Backend: Authentication with a Database-backed UserDetailsService
• Handling of Authorizations as per Roles ROLE_USER, ROLE_ADMIN is done by backend APIs. Frontend will perform the action and show access error, if received from APIs.
• Display security related screens and e.g. Sign-In screen to validate login with User/Password. Sign-Up screen will create new User in database table. And also save on frontend side in local device storage, for API calling - it will set apiUsername, apiPassword from the local/stored Username/Password.

Low-Code - Changes

Pre-requisite: Generate code via Builder Studio Configuration : "Basic Auth [InMemoryUserDetails]" which correspond with Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], then follow steps below.

Backend - Changes

Please use the Method B variation mentioned in backend changes.

Backend GraphQL APIs

To enable API security, Follow instructions in file EmDbGraphQLApp*\springGql\security\Readme_Security_Gql.txt

---------------------------------------------
    To enable Spring Security For GraphQL - Http Basic Auth
    Steps -
    1] pom.xml : Uncomment dependency spring-boot-starter-security
    2] Follow one of below Methods -
    

    Method A - Backend API Secure with *Basic Auth* [InMemoryUserDetails]

    COPY <this_dir>/basicAuthInMemoryUserDetailsGql To ../src/security/basicAuthInMemoryUserDetailsGql

    Method B - Backend API Secure with *Basic Auth* [DatabaseBackedUserDetails]
    
    COPY <this_dir>/basicAuthDbUserDetailsGql To ../src/security/basicAuthDbUserDetailsGql
    COPY <this_dir>../../EmDbRestApp*/spring/security/DbUserDetails To ../src/security/DbUserDetails
    Implement <this_dir>../../EmDbRestApp*/spring/security/sql/app_users.sql in your database.
        

    3] Uncomment Security Auth Annotations in *GraphqlController.java, against required Mutations 
       e.g. @PreAuthorize("hasRole('USER') or hasRole('ADMIN')")
       Also Uncomment imports required e.g.
        //import org.springframework.security.access.annotation.Secured;
        //import org.springframework.security.access.prepost.PreAuthorize;
    4] Clean and Re-build project
   ---------------------------------------------
    Note: Below annotations may have issues for using in spring graphql
    //@Secured({ "ADMIN" })
    //@RolesAllowed({ "USER","ADMIN" })
   ---------------------------------------------

Backend REST APIs

To enable API security, Follow instructions in file EmDbRestApp*\spring\security\Readme_Security.txt

---------------------------------------------
    To enable Spring Rest Security - Http Basic Auth
    Steps -
    1] pom.xml : Uncomment dependency spring-boot-starter-security
    2] Follow one of below Methods -
    

    Method A - Backend API Secure with *Basic Auth* [InMemoryUserDetails]

    COPY <this_dir>/basicAuthInMemoryUserDetails To ../src/security/basicAuthInMemoryUserDetails

    Method B - Backend API Secure with *Basic Auth* [DatabaseBackedUserDetails]
    
    COPY <this_dir>/basicAuthDbUserDetails To ../src/security/basicAuthDbUserDetails
    COPY <this_dir>/DbUserDetails To ../src/security/DbUserDetails
    Implement <this_dir>/sql/app_users.sql in your database.
        
    3] Security Authorization for api calls as per ROLE_USER, ROLE_ADMIN is implemented via antMatchers (in this file only).
    4] Clean and Re-build project
   ---------------------------------------------
    Note: Below annotations can also be used in spring controller methods, do import them as well
    //@Secured({ "ADMIN" })
    //@RolesAllowed({ "USER","ADMIN" })
   ---------------------------------------------

Frontend Flutter App Changes

Minor low-code customization is required to enable Sign-Up screen, rest all is taken care in generated code.

Open file em_app\lib\em_param.dart , and make below change,

From String emAppSecureType = 'BA'; //[BA|BASU|OA]

To: String emAppSecureType = 'BASU'; //[BA|BASU|OA]

Frontend Flutter Production Deployment: Password Caution

We keep low-code option of FE to BE secure calling without Frontend Sign-In screen - via set emApiCallSecure = true, if you need such a use case.

So password is hardcoded in em_param.dart

String emUsername = 'emAdmin'; //'emUser';  
String emPassword = 'emAdmin123'; //'emUser123';  

For Production Deployment of such use case:

caution

Including sensitive secrets in source code, is meant for development stage only. For production, use better way e.g. i) set emUsername, emPassword values via command line parameters, and ii) must use obfuscation
flutter build appbundle --dart-define="emPassword=emAdmin123" --obfuscate --split-debug-info=< dir >
set values from env in source
const emPassword = String.fromEnvironment("emPassword");

Security - Backend Express Node.js and Frontend Next.js React

Method A : Backend and Frontend Changes

Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.

• Enable Security in Backend APIs. Set frontend to backend secure calling.
• Handling of Authorizations as per Roles is not supported yet.
• Frontend will perform the action and show access error, if received from APIs.

Backend Express Node.js Changes

Implement via minor low-code customization.

Open file backend\express\emapi\.env, and

• set isApiSecureBasicAuth=Yes
• verify/edit apiUserName/apiPassword values also.

Re-build project and run.

Frontend Next.js React Changes

Implement via minor low-code customization to 2 files:

• .env - is Used For Client Components
• .env.local - is Used For Server Components

Open file frontend\nextjs\em_app\.env, and

• set NEXT_PUBLIC_isApiCallSecure=Yes
• verify/edit NEXT_PUBLIC_apiUsername/NEXT_PUBLIC_apiPassword values also. Open file frontend\nextjs\em_app\.env.local, and
• set isApiCallSecure=Yes
• verify/edit apiUsername/apiPassword values also.

Re-build project and run.