Welcome to the User Framework SpringBoot Configuration Guide! This document outlines the key configuration values you'll need to set up and customize the framework for your specific needs. Configuration values which can generally be left as defaults are not included in this document. Please review the applicaiton.yml file for more information on all the available configuration values.
- Username (
spring.mail.username): Set this to your mail server's username. - Password (
spring.mail.password): Your mail server's password goes here. - Host (
spring.mail.host): Set this to your mail server's hostname - Port (
spring.mail.port): Set to587by default. Modify if your mail server uses a different port.
- URL (
spring.datasource.url): The JDBC URL for your database. - Username (
spring.datasource.username): Database username. - Password (
spring.datasource.password): Database password. - Driver Class Name (
spring.datasource.driverClassName): The JDBC driver, defaults toorg.mariadb.jdbc.Driver.
- DDL Auto (
spring.jpa.hibernate.ddl-auto): Hibernate schema generation strategy, defaults toupdate. - Dialect (
spring.jpa.properties.hibernate.dialect): Set this to the appropriate dialect for your database, defaults toorg.hibernate.dialect.MariaDBDialect.
- Account Deletion (
user.actuallyDeleteAccount): Set totrueto enable account deletion. Defaults tofalsewhere accounts are disabled instead of deleted. - Registration Email Verification (
user.registration.sendVerificationEmail): Enable (true) or disable (false) sending verification emails post-registration.
- Admin App URL (
user.admin.appUrl): Base URL for admin-initiated password reset emails. Required when usinginitiateAdminPasswordReset(user)without explicit URL. Example:https://myapp.com - Session Invalidation Warn Threshold (
user.session.invalidation.warn-threshold): Number of active sessions that triggers a performance warning during session invalidation. Defaults to1000.
- Log File Path (
user.audit.logFilePath): The path to the audit log file. - Flush on Write (
user.audit.flushOnWrite): Set totruefor immediate log flushing. Defaults tofalsefor performance. - Max Query Results (
user.audit.maxQueryResults): Maximum number of audit events returned from queries. Prevents memory issues with large logs. Defaults to10000.
GDPR features are disabled by default and must be explicitly enabled.
- Enable GDPR (
user.gdpr.enabled): Master toggle for all GDPR features. Whenfalse, all GDPR endpoints return 404. Defaults tofalse. - Export Before Deletion (
user.gdpr.exportBeforeDeletion): Whentrue, user data is automatically exported and included in the deletion response. Defaults totrue. - Consent Tracking (
user.gdpr.consentTracking): Enable consent grant/withdrawal tracking via the audit system. Defaults totrue.
Example configuration:
user:
gdpr:
enabled: true
exportBeforeDeletion: true
consentTracking: trueNote: When GDPR is enabled, ensure you have a UserPreDeleteEvent listener configured to clean up application-specific user data before deletion. See the README for details.
- Failed Login Attempts (
spring.security.failedLoginAttempts): Number of failed login attempts before account lockout. Set to0to disable lockout. - Account Lockout Duration (
spring.security.accountLockoutDuration): Duration (in minutes) for account lockout. - BCrypt Strength (
spring.security.bcryptStrength): Adjust the bcrypt strength for password hashing. Default is12.
Provides passwordless login using biometrics, security keys, or device authentication. HTTPS is required for WebAuthn to function.
- Enabled (
user.webauthn.enabled): Enable or disable WebAuthn/Passkey support. Defaults tofalse. Must be explicitly enabled along with the required database schema. - Relying Party ID (
user.webauthn.rpId): For development, uselocalhost. For production, use your domain (e.g.,example.com). Defaults tolocalhost. - Relying Party Name (
user.webauthn.rpName): The display name. - Allowed Origins (
user.webauthn.allowedOrigins): Comma-separated list of allowed origins. Defaults tohttps://localhost:8443.
Development Example:
user.webauthn.enabled=true
user.webauthn.rpId=localhost
user.webauthn.rpName=My Application
user.webauthn.allowedOrigins=https://localhost:8443Production Example:
user.webauthn.enabled=true
user.webauthn.rpId=example.com
user.webauthn.rpName=My Application
user.webauthn.allowedOrigins=https://example.comDatabase Schema:
WebAuthn requires two additional tables: user_entities and user_credentials. If using ddl-auto: update, Hibernate will create them automatically. For manual schema management, see db-scripts/mariadb-schema.sql.
Important Notes:
- WebAuthn is disabled by default and must be explicitly enabled along with the required database tables.
- WebAuthn requires HTTPS in production. HTTP is allowed on
localhostfor development. - For local HTTPS development, generate a self-signed certificate:
keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650 - Configure SSL in
application.properties:server.ssl.enabled=true,server.ssl.key-store=classpath:keystore.p12 - Alternatively, use ngrok (
ngrok http 8080) for HTTPS without certificates. Note: HTTP also works on localhost with most browsers. - Users must be authenticated before they can register a passkey. Passkeys enhance existing authentication, not replace initial registration.
- You must add
/webauthn/authenticate/**and/login/webauthnto yourunprotectedURIsfor passkey login to work. - Passkey labels are limited to 64 characters.
- When a user account is deleted, all associated WebAuthn credentials and user entities are automatically cleaned up via the
UserPreDeleteEventlistener. The database schema also usesON DELETE CASCADEas a safety net.
Provides a reusable "login as" controller for local development, so consuming applications don't need to write boilerplate dev-login controllers. This feature is disabled by default and requires both a property flag and the local Spring profile to activate.
- Auto-Login Enabled (
user.dev.auto-login-enabled): Master toggle for the dev login feature. Defaults tofalse. Must be set totrueand thelocalSpring profile must be active for the endpoints to be registered. - Login Redirect URL (
user.dev.login-redirect-url): The URL to redirect to after a successful dev login. Defaults to/.
Example configuration:
# application-local.yml (only active with spring.profiles.active=local)
user:
dev:
auto-login-enabled: true
login-redirect-url: /dashboardEndpoints (only available when enabled with the local profile):
| Endpoint | Method | Description |
|---|---|---|
/dev/login-as/{email} |
GET | Authenticate as the specified user and redirect |
/dev/users |
GET | List all enabled user emails |
Important Notes:
- The
localSpring profile must be active. Without it, the controller and warning beans are never registered regardless of the property value. - When enabled,
/dev/**is automatically added to the unprotected URI list and CSRF-ignored URIs inWebSecurityConfig. - A prominent WARN-level banner is logged on startup when dev login is active.
- NEVER enable this in production. It bypasses all password authentication.
- From Address (
spring.mail.fromAddress): The email address used as the sender in outgoing emails.
- Roles and Privileges (
spring.roles-and-privileges): Map out roles to their respective privileges. - Role Hierarchy (
spring.role-hierarchy): Define the hierarchy and inheritance of roles.
- Session Timeout (
server.servlet.session.timeout): The session timeout period, defaults to30m(30 minutes).
- Log File Path (
logging.file.name): Set the path to the application log file.
Remember, this guide covers the most critical settings to get you started. Depending on your specific use case, you may need to explore and adjust additional configurations. Always refer to the official SpringBoot and related libraries' documentation for more detailed information.