Skip to content

Module Dependency Graph

CoSec is organized as a multi-module Gradle Kotlin DSL project with a clear separation of concerns. Each module has a well-defined responsibility and dependency boundary, enabling flexible composition and minimal coupling.

High-Level Module Architecture

The project is declared in settings.gradle.kts, which lists all 15 included modules. The architecture follows a layered approach where the API module defines contracts, the core module provides implementations, and integration modules adapt to various runtime environments.

mermaid
graph TB
    subgraph "Integration Layer"
        WEBMVC["cosec-webmvc"]
        WEBFLUX["cosec-webflux"]
        GATEWAY["cosec-gateway"]
    end

    subgraph "Feature Modules"
        JWT["cosec-jwt"]
        COCACHE["cosec-cocache"]
        SOCIAL["cosec-social"]
        IP2REGION["cosec-ip2region"]
        OTEL["cosec-opentelemetry"]
        OPENAPI["cosec-openapi"]
    end

    subgraph "Core Layer"
        CORE["cosec-core"]
        API["cosec-api"]
    end

    subgraph "Auto-Configuration"
        STARTER["cosec-spring-boot-starter"]
        GWSERVER["cosec-gateway-server"]
    end

    WEBMVC --> CORE
    WEBFLUX --> CORE
    GATEWAY --> WEBFLUX
    JWT --> CORE
    COCACHE --> CORE
    SOCIAL --> CORE
    IP2REGION --> CORE
    OTEL --> CORE
    OPENAPI --> CORE
    CORE --> API
    STARTER --> CORE
    STARTER --> JWT
    STARTER -.-> WEBMVC
    STARTER -.-> WEBFLUX
    STARTER -.-> GATEWAY
    STARTER -.-> COCACHE
    STARTER -.-> SOCIAL
    STARTER -.-> IP2REGION
    STARTER -.-> OTEL
    STARTER -.-> OPENAPI
    GWSERVER --> STARTER

    style API fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CORE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style STARTER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GWSERVER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style JWT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style COCACHE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SOCIAL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style IP2REGION fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OTEL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OPENAPI fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WEBMVC fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WEBFLUX fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GATEWAY fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Module Reference Table

ModuleResponsibilityKey ClassesDependencies
cosec-apiCore interfaces, no framework depsCoSecPrincipal, Authorization, Policy, TenantNone (pure API)
cosec-corePolicy evaluation, authentication, authorizationSimpleAuthorization, PolicyRepository, BlacklistCheckercosec-api
cosec-jwtJWT token creation and verificationJwtTokenVerifier, TokenConvertercosec-core
cosec-cocacheRedis-backed distributed caching for policies/permissionsCachedPolicyRepository, CachedAppRolePermissionRepositorycosec-core
cosec-socialOAuth social authentication via JustAuthSocialAuthentication, OAuthServicecosec-core
cosec-ip2regionIP geolocation for condition matchingIp2RegionConditionMatchercosec-core
cosec-opentelemetryOpenTelemetry tracing for security operationsSecurityTracingFiltercosec-core
cosec-openapiSwagger/OpenAPI integration for security endpointsCoSecOpenApiCustomizercosec-core
cosec-webfluxReactive WebFilter for Spring WebFluxReactiveSecurityFilter, ReactiveAuthorizationFiltercosec-core
cosec-webmvcServlet filter for Spring WebMVCServletAuthorizationFilter, ServletSecurityFiltercosec-core
cosec-gatewaySpring Cloud Gateway GlobalFilterAuthorizationGatewayFiltercosec-webflux
cosec-spring-boot-starterAuto-configuration, aggregates all modulesCoSecAutoConfiguration, conditional featurescosec-core, cosec-jwt, optional modules
cosec-gateway-serverStandalone gateway application (not published)GatewayApplicationcosec-spring-boot-starter
cosec-dependenciesVersion catalog for dependency managementlibs.versions.tomlNone
cosec-bomBill of Materials for consistent versioningBOM definitioncosec-dependencies

Feature Capabilities in the Starter

The cosec-spring-boot-starter module uses Gradle feature variants to provide optional capabilities. As declared in cosec-spring-boot-starter/build.gradle.kts, each feature is registered as a separate capability:

mermaid
graph LR
    STARTER["cosec-spring-boot-starter"] --> |always| CORE["cosec-core"]
    STARTER --> |always| JWT["cosec-jwt"]

    STARTER --> |webmvcSupport| WEBMVC["cosec-webmvc"]
    STARTER --> |webfluxSupport| WEBFLUX["cosec-webflux"]
    STARTER --> |gatewaySupport| GW["cosec-gateway"]
    STARTER --> |oauthSupport| SOCIAL["cosec-social"]
    STARTER --> |cacheSupport| COCACHE["cosec-cocache"]
    STARTER --> |ip2regionSupport| IP2R["cosec-ip2region"]
    STARTER --> |opentelemetrySupport| OTEL["cosec-opentelemetry"]
    STARTER --> |openapiSupport| OPENAPI["cosec-openapi"]

    style STARTER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CORE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style JWT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WEBMVC fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WEBFLUX fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GW fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SOCIAL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style COCACHE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style IP2R fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OTEL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OPENAPI fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Consumers of the starter can opt in to specific features by declaring the corresponding dependency:

kotlin
// Only WebFlux support
implementation("me.ahoo.cosec:cosec-spring-boot-starter-webflux-support")

// Only Gateway support (pulls in WebFlux transitively)
implementation("me.ahoo.cosec:cosec-spring-boot-starter-gateway-support")

Dependency Layering Principles

mermaid
graph BT
    L1["Layer 1: cosec-api<br>Pure interfaces, zero dependencies"]
    L2["Layer 2: cosec-core<br>Implementations, depends on cosec-api"]
    L3["Layer 3: Feature Modules<br>JWT, Cache, Social, etc."]
    L4["Layer 4: Integration Modules<br>WebFlux, WebMVC, Gateway"]
    L5["Layer 5: Auto-Configuration<br>Spring Boot Starter"]
    L6["Layer 6: Applications<br>Gateway Server"]

    L1 --> L2
    L2 --> L3
    L2 --> L4
    L3 --> L5
    L4 --> L5
    L5 --> L6

    style L1 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style L2 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style L3 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style L4 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style L5 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style L6 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Key architectural principles:

  1. API Isolation -- cosec-api has zero framework dependencies. All security contracts are pure Kotlin interfaces using Mono<T> from Project Reactor. This ensures the API layer can be implemented by any runtime.

  2. Core as Single Implementation -- cosec-core is the sole provider of concrete implementations. As seen in SimpleAuthorization, the core authorization logic delegates to PolicyRepository and AppRolePermissionRepository interfaces, which are wired by higher layers.

  3. Integration Unawareness -- Integration modules (cosec-webflux, cosec-webmvc, cosec-gateway) depend only on cosec-core, not on each other. The gateway module is a special case that extends the WebFlux filter since both operate in a reactive context.

  4. Optional Feature Composition -- The starter module uses Gradle's registerFeature mechanism (see build.gradle.kts:18-49) to provide optional modules without forcing transitive dependencies on consumers.

  5. BOM for Version Alignment -- cosec-dependencies and cosec-bom ensure all modules use consistent versions of external dependencies, managed through the Gradle version catalog at gradle/libs.versions.toml.

References

Licensed under the Apache License, Version 2.0.