Skip to content

fix: harden security, complete plugin system, fix packages#8

Merged
casc84ab merged 2 commits intodevelopfrom
fix/framework-hardening
Feb 13, 2026
Merged

fix: harden security, complete plugin system, fix packages#8
casc84ab merged 2 commits intodevelopfrom
fix/framework-hardening

Conversation

@ancongui
Copy link
Contributor

@ancongui ancongui commented Feb 13, 2026

Summary

  • Implement real security authorization (roles/permissions enforcement)
  • SecurityAspect respects both global and annotation-level config source
  • Complete plugin system with JarPluginLoader and registry
  • Fix all package references from org.fireflyframework.application to org.fireflyframework.common.application
  • Add SecurityAutoConfiguration and ApplicationLayerProperties
  • Add JwtClaimsRoleExtractor for configurable JWT claim paths
  • Fix logback and application.yml logger names
  • Fix test constructor calls and assertion updates

Test plan

  • All existing tests pass
  • New tests added for new functionality
  • Manual verification of key flows

@ancongui
refactor: hexagonal architecture remediation — application @component…
46d3efa 
…scan removal

Part of the Firefly Framework hexagonal architecture remediation.

- Remove @componentscan from ApplicationLayerAutoConfiguration
- Add 8 explicit @bean @ConditionalOnMissingBean methods
- Remove @Component/@service from 8 component classes
- Use ObjectProvider for optional SessionManager dependency
- Use interface-level @ConditionalOnMissingBean for Default* implementations
@ancongui
fix: harden security authorization, complete plugin system, fix packa…
231b7a4 
…ge structure

- Implement real security authorization (roles/permissions enforcement)
- SecurityAspect respects both global and annotation-level config source
- Complete plugin system with JarPluginLoader and registry
- Fix all package references from org.fireflyframework.application to org.fireflyframework.common.application
- Add SecurityAutoConfiguration and ApplicationLayerProperties
- Add JwtClaimsRoleExtractor for configurable JWT claim paths
- Fix logback and application.yml logger names
- Fix test constructor calls and assertion updates
@ancongui ancongui requested a review from casc84ab February 13, 2026 00:34
casc84ab
casc84ab approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@casc84ab casc84ab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Real security authorization (roles/permissions), SecurityAspect now reads Spring MVC annotations for endpoint/method extraction. Plugin system with JarPluginLoader. Package references fixed. JwtClaimsRoleExtractor for configurable JWT paths.

@casc84ab casc84ab merged commit e63393a into develop Feb 13, 2026
4 checks passed
@casc84ab casc84ab deleted the fix/framework-hardening branch February 13, 2026 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@casc84ab casc84ab casc84ab approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ancongui @casc84ab