Class SecurityConfig

java.lang.Object
com.loomcache.springboot.config.SecurityConfig
@Configuration @EnableMethodSecurity(jsr250Enabled=true) @EnableConfigurationProperties({LoomProperties.class,JwtTokenIssuerProperties.class,RestUserLockoutProperties.class,RateLimitProperties.class,RestWriteSafetyProperties.class,PublicEndpointProperties.class}) public class SecurityConfig extends Object
Spring Security configuration that enforces @RolesAllowed annotations on controller endpoints via JSR-250 method security.

Authentication model:

  • mTLS (X.509 client certificates) — primary production auth; CN maps to roles via CertPermissionMapper (single source of truth shared with the binary protocol)
  • Health endpoint (/api/cluster/health) — always public
  • Actuator endpoints — health is always public; info is admin-only in production by default
  • All other endpoints — require authentication

  • Constructor Details

    • SecurityConfig

      public SecurityConfig(org.springframework.beans.factory.ObjectProvider<CertPermissionMapper> certPermissionMapperProvider)

  • Method Details

    • defaultCertPermissionMapper

      @Bean @ConditionalOnMissingBean public CertPermissionMapper defaultCertPermissionMapper(LoomProperties properties)

    • securityFilterChain

      @Bean public org.springframework.security.web.SecurityFilterChain securityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http, RestUserLockoutManager restUserLockoutManager, org.springframework.beans.factory.ObjectProvider<JwtTokenService> jwtTokenServiceProvider, org.springframework.beans.factory.ObjectProvider<org.springframework.boot.web.server.autoconfigure.ServerProperties> serverPropertiesProvider, org.springframework.beans.factory.ObjectProvider<org.springframework.boot.actuate.autoconfigure.web.server.ManagementServerProperties> managementServerPropertiesProvider, RateLimitFilter rateLimitFilter, RestWriteSafetyProperties restWriteSafetyProperties, PublicEndpointProperties publicEndpointProperties, LoomProperties loomProperties) throws Exception
      Configure the HTTP security filter chain.

      When mTLS is enabled, the X.509 certificate CN is extracted and mapped to a Spring Security principal with appropriate roles via CertPermissionMapper. JWT bearer tokens are accepted when a JwtTokenService bean is configured.

      Parameters:
      http - the HTTP security builder
      Returns:
      the configured security filter chain
      Throws:
      Exception - if configuration fails

    • x509UserDetailsService

      @Bean public org.springframework.security.core.userdetails.UserDetailsService x509UserDetailsService()
      Maps X.509 certificate CN values to Spring Security users with roles.

      Delegates to CertPermissionMapper.resolve(String) for consistent CN-to-permission mapping between the REST API and binary protocol.

      Returns:
      the user details service for X.509 authentication

    • certPermissionMapperPrincipalExtractor

      @Bean public org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor certPermissionMapperPrincipalExtractor()

    • restUserLockoutManager

      @Bean @ConditionalOnMissingBean public RestUserLockoutManager restUserLockoutManager(RestUserLockoutProperties properties)

    • browserIsolationHeadersFilterRegistration

      @Bean public org.springframework.boot.web.servlet.FilterRegistrationBean<BrowserIsolationHeadersFilter> browserIsolationHeadersFilterRegistration()

    • sensitiveResponseCacheControlFilterRegistration

      @Bean public org.springframework.boot.web.servlet.FilterRegistrationBean<SensitiveResponseCacheControlFilter> sensitiveResponseCacheControlFilterRegistration()

    • passiveClusterStateWriteGuardFilterRegistration

      @Bean public org.springframework.boot.web.servlet.FilterRegistrationBean<PassiveClusterStateWriteGuardFilter> passiveClusterStateWriteGuardFilterRegistration(org.springframework.beans.factory.ObjectProvider<CacheNode> cacheNodeProvider)

    • restWriteSafetyFilterRegistration

      @Bean public org.springframework.boot.web.servlet.FilterRegistrationBean<RestWriteSafetyFilter> restWriteSafetyFilterRegistration(RestWriteSafetyProperties properties)

    • rateLimitFilter

      @Bean public RateLimitFilter rateLimitFilter(RateLimitProperties properties)
      BLK-2026-04-22-008: build the REST rate-limit filter used inside Spring Security.

      P1 hardening: the filter is inserted into the Spring Security chain after mTLS/JWT authentication so established users are bucketed by principal rather than silently collapsing onto anonymous/source-IP buckets.

      BLK-PHASE4-003 fix: pass an EMPTY trusted-proxy set so X-Forwarded-For is not honored by default. Production deployments behind a reverse proxy must configure loomcache.security.rate-limit.trusted-proxies before XFF is trusted.

      Defaults are generous; operators may tune via loomcache.security.rate-limit.*.

      Returns:
      rate-limit filter for the Spring Security chain

    • rateLimitFilterRegistration

      @Bean public org.springframework.boot.web.servlet.FilterRegistrationBean<RateLimitFilter> rateLimitFilterRegistration(RateLimitFilter filter)