7. Service Broker Security
Authentication and authorization of service broker endpoints is not specified in the Open Service Broker API specification, but some platforms require or let basic authentication or OAuth2 credentials be provided when a service broker is registered to the platform.
The Spring Cloud Open Service Broker project does not implement any security configuration.
Service broker application endpoints can be secured with Spring Security
and Spring Boot security configuration
by applying security to application endpoints with the path-matching pattern: /v2/**.
7.1. Example Configuration
The following example implements a security configuration in a Spring MVC i.e blocking webstack. Similar config for a Spring WebFlux reactive stack is necessary, see Spring security webflux support
package com.example.servicebroker;
@Configuration
@EnableWebSecurity
public class ExampleSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(httpRequests -> httpRequests.requestMatchers("/v2/**").hasRole("ADMIN"))
.httpBasic(Customizer.withDefaults())
.build();
}
@Bean
public InMemoryUserDetailsManager userDetailsService() {
return new InMemoryUserDetailsManager(adminUser());
}
private UserDetails adminUser() {
return User
.withUsername("admin")
.password("{noop}supersecret")
.roles("ADMIN")
.build();
}
}