-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathapplication.yml
More file actions
196 lines (185 loc) · 10.1 KB
/
application.yml
File metadata and controls
196 lines (185 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
spring:
mail:
username: # Mail server username
password: # Mail server password
host: email-smtp.us-west-2.amazonaws.com # Mail server host
port: 587 # Mail server port
properties: # Mail server properties
mail:
smtp:
starttls:
enable: true # Enable or disable STARTTLS
required: true # Require STARTTLS
auth: true # Enable or disable authentication
transport:
protocol: smtp # Mail server protocol
# security:
# oauth2:
# enabled: true
# client:
# registration:
# google:
# client-id:
# client-secret:
# scope:
# - email
# - profile
# client-name: Google
# authorization-grant-type: authorization_code
# client-authentication-method: post
# provider: google
# facebook:
# client-id:
# client-secret:
# scope:
# - email
# - public_profile
# client-name: Facebook
# authorization-grant-type: authorization_code
# client-authentication-method: post
# provider: facebook
# apple:
# client-id:
# client-secret:
# scope:
# - email
# - name
# client-name: Apple
# authorization-grant-type: authorization_code
# client-authentication-method: post
# provider: apple
thymeleaf: # Thymeleaf configuration
cache: false # Enable or disable Thymeleaf cache
template-loader-path: classpath:/templates # Template loader path for Thymeleaf
suffix: .html # Suffix for Thymeleaf templates
jpa: # JPA configuration
hibernate: # Hibernate configuration
ddl-auto: update # Hibernate DDL auto
properties: # Hibernate properties
hibernate:
dialect: org.hibernate.dialect.MariaDBDialect # Hibernate dialect
# "[globally_quoted_identifiers]": false # Globally quoted identifiers
show-sql: "false" # Enable or disable SQL logging
application: # Application configuration
name: User Framework Demo # Application name
datasource: # Datasource configuration
password: springuser # Database password
url: jdbc:mariadb://localhost:3306/springuser?createDatabaseIfNotExist=true # Database URL
driverClassName: org.mariadb.jdbc.Driver # Database driver
username: springuser # Database username
messages:
basename: messages/messages # Message basename
management:
newrelic:
metrics:
export:
api-key: # New Relic API key
account-id: # New Relic account ID
hibernate:
globally_quoted_identifiers: "false" # Hibernate Globally quoted identifiers
server:
servlet:
session:
cookie:
secure: true # Whether the cookie should be flagged as secure or not. If true, the cookie will only be sent over HTTPS.
http-only: true # Whether the cookie should be flagged as HTTP only or not. If true, the cookie will not be accessible to client side scripts.
timeout: 30m # Session timeout in minutes
logging:
file:
name: /opt/app/logs/user-app.log # The path to the application log file.
springdoc:
swagger-ui:
path: /swagger-ui.html
api-docs:
path: /v3/api-docs
packages-to-scan: com.digitalsanctuary.spring.demo,com.digitalsanctuary.spring.user
show-actuator: false
# User Framework configuration
user:
actuallyDeleteAccount: false # If true, users can delete their own accounts. If false, accounts are disabled instead of deleted.
registration:
sendVerificationEmail: true # If true, a verification email will be sent to the user after registration. If false, the user will be automatically verified.
googleEnabled: false # If true, Google OAuth2 will be enabled for registration.
facebookEnabled: false # If true, Facebook OAuth2 will be enabled for registration.
webauthn:
enabled: true
rpId: localhost
rpName: Spring User Framework Demo
allowedOrigins: http://localhost:8080
mfa:
enabled: true
factors:
- PASSWORD
- WEBAUTHN
passwordEntryPointUri: /user/login.html
webauthnEntryPointUri: /user/mfa/webauthn-challenge.html
audit:
logFilePath: /opt/app/logs/user-audit.log # The path to the audit log file.
flushOnWrite: false # If true, the audit log will be flushed to disk after every write (less performant). If false, the audit log will be flushed to disk every 10 seconds (more performant).
logEvents: true # If true, all events will be logged.
# Centralizing the URIs of common pages to make changing paths easier. You can leave this section alone if you use the default page locations from this project. These URLs do NOT have to be included in the unprotectedURIs list above as they will automatically be handled.
security:
failedLoginAttempts: 10 # The number of failed login attempts before the user account is locked out. Set this to 0 to disable account lockout.
accountLockoutDuration: 30 # The number of minutes to lock the user account after the maximum number of failed login attempts is reached. Set this to 0 to disable account lockout. Set this to -1 to lock the account until an administrator unlocks it.
bcryptStrength: 12 # The bcrypt strength to use for password hashing. The higher the number, the longer it takes to hash the password. The default is 12. The minimum is 4. The maximum is 31.
testHashTime: true # If true, the test hash time will be logged to the console on startup. This is useful for determining the optimal bcryptStrength value.
defaultAction: deny # The default action for all requests. This can be either deny or allow.
unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/js/utils/*,/img/**,/user/registration,/user/registration/passwordless,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,/error,/error.html,/webauthn/authenticate/**,/login/webauthn # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
protectedURIs: /protected.html # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
disableCSRFdURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
# URIs for known user related pages. You can change these paths to your own pages if you want.
loginPageURI: /user/login.html # The URI for the login page.
loginActionURI: /user/login # The URI for the login action.
loginSuccessURI: /index.html?messageKey=message.login.success # The URI for the login success page.
logoutSuccessURI: /index.html?messageKey=message.logout.success # The URI for the logout success page.
logoutActionURI: /user/logout # The URI for the logout action.
forgotPasswordChangeURI: /user/forgot-password-change.html # The URI for the forgot password change page.
forgotPasswordURI: /user/forgot-password.html # The URI for the forgot password page.
forgotPasswordPendingURI: /user/forgot-password-pending-verification.html # The URI for the forgot password pending verification page.
registrationPendingURI: /user/registration-pending-verification.html # The URI for the registration pending verification page.
registrationURI: /user/register.html # The URI for the registration page.
registrationSuccessURI: /user/registration-complete.html # The URI for the registration success page.
registrationNewVerificationURI: /user/request-new-verification-email.html # The URI for the request new verification email page.
updateUserURI: /user/update-user.html # The URI for the update user page.
# Password policy enforcement/rules
password:
enabled: true # Enable/disable password policy enforcement
min-length: 8 # Minimum password length
max-length: 128 # Maximum password length
require-uppercase: true # Require at least one uppercase character
require-lowercase: true # Require at least one lowercase character
require-digit: true # Require at least one digit
require-special: true # Require at least one special character
special-chars: "~`!@#$%^&*()_-+={}[]|\\:;\"'<>,.?/" # Allowed special characters
prevent-common-passwords: true # Prevent use of common passwords (dictionary check)
history-count: 3 # Number of previous passwords to prevent reuse
similarity-threshold: 70 # Percentage of similarity allowed with username/email
mail:
fromAddress: test@test.com # The from address for all emails sent by the application.
purgetokens:
cron:
expression: 0 0 3 * * ? # The cron expression for the token purge job. This defaults to 3 am every day.
copyrightFirstYear: 2020 # The first year of the copyright. This is used for dispaly of the page footer.
roles:
roles-and-privileges: # Roles and privileges configuration section. This is a YAML map of roles to privileges. Each role can have one or more privileges. The privileges are defined in the privileges section below.
"[ROLE_ADMIN]":
- ADMIN_PRIVILEGE
- INVITE_USER_PRIVILEGE
- READ_USER_PRIVILEGE
- ASSIGN_MANAGER_PRIVILEGE
- RESET_ANY_USER_PASSWORD_PRIVILEGE
- CREATE_EVENT_PRIVILEGE
- DELETE_EVENT_PRIVILEGE
- UPDATE_EVENT_PRIVILEGE
"[ROLE_MANAGER]":
- ADD_USER_TO_TEAM_PRIVILEGE
- REMOVE_USER_FROM_TEAM_PRIVILEGE
- RESET_TEAM_PASSWORD_PRIVILEGE
"[ROLE_USER]":
- LOGIN_PRIVILEGE
- UPDATE_OWN_USER_PRIVILEGE
- RESET_OWN_PASSWORD_PRIVILEGE
- REGISTER_FOR_EVENT_PRIVILEGE
role-hierarchy: # Role hierarchy configuration section. This defines a hierarchy of roles, where a higher level role inherits all roles from a lower level role. The roles are defined in the roles-and-privileges section above.
- ROLE_ADMIN > ROLE_MANAGER
- ROLE_MANAGER > ROLE_USER