App Security Configuration
Following sections help you to understand & configure security for generated apps.
Security Configuration
Project Security Configuration
EasyManage provisions Security via one of the methods selected for code generation. And there are some methods which need to extend & customize with the help of templates.
Security Design
Authentication & Authorization
The security design used is Authentication & Authorization with RBAC.
- RBAC (Role Based Access Control), with Roles to permission rules for CRUD Ops.
For details, Please refer to Security Design Details
Builder Studio - Security Configuration
Is Under Project Settings - Security Configuration :
- Is given in Using Builder Studio
Details for same are presented below.
Security Configuration Applicability
Below table shows whether the selected security configurations are applied as no-code or low-code in Generated Code. For other tech stacks please see next section below: "How to Match Security Settings With Other Frontend, Backend"
| Security Type | BE Spring Java | BE Express Node.js | FE Flutter | FE Next.js React |
|---|---|---|---|---|
| Basic Auth [InMemoryUserDetails] | No-Code ✅ | Low-Code | No-Code ✅ | Low-Code |
| Basic Auth [DatabaseBackedUserDetails] | Low-Code | Low-Code | ||
| OAuth2 [Authorization Server] | No-Code ✅ | |||
| OAuth2 [Authorization Server + OAuth2 Client For Web App] | No-Code ✅ | |||
| OAuth2 [Authorization Server + OAuth2 Client For BFF Auth APIs] | No-Code ✅ |
Security Methods
Secure With Basic Auth [InMemoryUserDetails]
Note:
- If selected, has effect as below:
- Backend Spring Java : Authentication and Authorization RBAC (default)
- Applies: User passwords, Role Vs CRUD Ops customizations - Frontend Apps Flutter : Secure API calling
- Enable secure API calling via Basic Auth (i.e. Frontend to Backend Spring Java REST APIs),
- Sign In (Login Screen) captures user credentials and stores locally.
- Sign-Out feature.
- Backend Spring Java : Authentication and Authorization RBAC (default)
Secure With OAuth2
Note:
If selected, has effect as below:
- Backend Spring Java : Authentication and Authorization RBAC via OAuth2
OAuth2 Configuration Options
- "OAuth2 [Authorization Server]"
- Only Authorization Server
- "OAuth2 [Authorization Server + OAuth2 Client For Web App]"
- Authorization Server and OAuth2 Client
- With OAuth2 Flow Auth Server login, logout
- For Web Apps like SPAs and Blazor Apps.
- "OAuth2 [Authorization Server + OAuth2 Client For BFF Auth APIs]"
- Authorization Server and OAuth2 Client
- For BFF (Backend-For-Frontend) Auth APIs on Server-side - To Get token, refresh token, but without OAuth2 Flow Auth Server login, logout
- For Mobile Apps like Flutter Apps, or Microservices container based Frontend apps using React, Angular, Flutter, or any other.
- Where OAuth2 Client credentials are not to be exposed to Frontend side. Or Frontend and backend are in separate containers.
- "OAuth2 [Authorization Server]"
- When Using with Versions "Spring Boot 3, Java 17"
- Note: Known Issues
- "OAuth2 [Authorization Server]" works fine, get token from curl and test via tool postman.
- *Known Issues For "OAuth2 [Authorization Server + OAuth2 Client For Web App]"
- Swagger Docs are not accessible.
- OAuth2 Client For Web App: Auth Flow is invoked, but unable to get Roles.
- (Gets OIDC_USER, instead of ROLE_USER)
- *Known Issues For "OAuth2 [Authorization Server + OAuth2 Client For BFF Auth APIs]"
- API /emlogin/oauth2/getToken gives Error 401 Unauthorized
- Note: Known Issues
Secure With Other Methods
Note: To Implement Other Security Methods (Basic Auth Db Table based, ...), one can follow respective Backend Template.
Security Methods Via Backend Template
Security Methods below are available via template projects.
- Locate below in generated code folder as start point:
resources\templates\backend\spring-java\security-auth\README-security-auth.md
Find details for below inthese folders.
OAuth2
How-to: Authenticate using OAuth2
Keycloak
How-to: Provision Keycloak in docker side car container and Authenticate using Keycloak
Social (Google, GitHub, etc.)
How-to: Authenticate using Social Login
How to Match Security Settings With Other Frontend, Backend
- Implement for below via minor customization:
- Frontend Apps Flutter :
- Implement Sign Up Screen, with Low-Code Security Customization, Backend needs "Method B" (Basic Auth [DatabaseBackedUserDetails])
- Frontend Next.js React :
- Implement with low-code customization, Secure API calling
- Backend Express Node.js :
- Implement with low-code customization, Authentication Only, Basic Auth, edit
.envfile - Customize for Authentication and Authorization RBAC via OAuth2
- Implement with low-code customization, Authentication Only, Basic Auth, edit
Note: Security feature Not available with Frontends React Native, Angular.
Security Customize
- Please refer to Security Customize for
- Customizing Security
- Securing Backends and Frontends together, e.g.
- Backend Spring Java and Frontend Flutter
- Backend Express Node.js and Frontend Next.js React