Disable Security for Services and REST Endpoints
You want to disable security checks for REST endpoints or even the entire service in your project for a specific reason.
Descriptionβ
Security is one of the most important features in IBM DevOps Solution Workbench. But some cases require disabling the security checks for certain REST endpoints or the entire service in order to operate as needed. This How-To walks you through the available options to disable security in a Java Domain Service.
Please note that the links to the workbench tools in this tutorial only apply to the IBM Education Environment we provide. If you are using a different environment, e.g. your own installation, you will need to navigate directly to the required tools.
Option 1: Disable Security for Specific REST Endpointsβ
To selectively bypass authentication for specific paths, create a @Configuration class and define a HttpSecurityConfigurer bean. You can then add any path you want to exclude from HTTP security to the requestMatchers function.
The class should look like this:
import k5.sdk.springboot.security.HttpSecurityConfigurer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class SecurityConfiguration {
@Bean
HttpSecurityConfigurer configure() {
return http -> http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/my-first-path", β/my-second-pathβ).permitAll()
.anyRequest().authenticated()
);
}
}
With this configuration, the specified paths (/my-first-path, /my-second-path) will not require authentication, while all other requests remain protected.
Option 2: Disable Security for the Entire Serviceβ
If you need to disable security for the whole service, follow the steps below.
Once security is disabled, any functionality that depends on JWT tokens or the security context will need to be adjusted.
Stepsβ
First, we need to create a config package under src/main/java that we will add below classes into it.
Override Oauth2 Client Registratio Repositoryβ
This class provides an empty implementation for OAuth2 ClientRegistrationRepository
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.stereotype.Component;
@Component
public class EmptyClientRegistrationRepository implements ClientRegistrationRepository {
private static final Logger log = LoggerFactory.getLogger(EmptyClientRegistrationRepository.class);
@Override
public ClientRegistration findByRegistrationId(String registrationId) {
log.info("Creating an Empty OAuth2 Client Registration Repository ...");
// You can return null or an empty ClientRegistration object based on your requirements
return null;
}
}
Override OIDC Configurationβ
This class will create an instance of OidcConfiguration.class using OAuth2 repository implementation EmptyClientRegistrationRepository that we created in above section.
import de.knowis.cp.common.security.autoconfiguration.OidcConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
@Configuration
public class CustomOidcConfiguration {
private static final Logger log = LoggerFactory.getLogger(CustomOidcConfiguration.class);
@Bean
@Primary
public OidcConfiguration getOidcConfig(EmptyClientRegistrationRepository repo) {
log.info("Creating Custom Oidc Configuration ...");
return new OidcConfiguration(repo);
}
}
Disable Spring Security Auto Configurationβ
Exclude Spring Security Auto Configuration Classes [SecurityAutoConfiguration.class, OAuth2ClientAutoConfiguration.class, ManagementWebSecurityAutoConfiguration. class]. See below code snippet example.
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.cloud.client.serviceregistry.ServiceRegistryAutoConfiguration;
@SpringBootApplication(exclude = {
MongoAutoConfiguration.class,
ServiceRegistryAutoConfiguration.class,
SecurityAutoConfiguration.class,
OAuth2ClientAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class} ,
scanBasePackages = { "de.k5.minutes.minutes.*" })
public class MINUTESApplication {
private static final Logger log = LoggerFactory.getLogger(MINUTESApplication.class);
private static final TimeZone UTC = getTimeZone("UTC");
public static void main(String[] args) {
SpringApplication.run(MINUTESApplication.class, args);
}
}
Disable JWT Propagationβ
Since there will not be any JWT token to use when calling Api Dependnecy services (other DSW services), we need to disable the token propagation by converting all local-lookup api dependency into dev-binding with below configuration:
{
"url": "Your-service-url"
"k5_propagate_security_token": false
}
Disable OpenAPI and Security Feature Flagsβ
In deployment, we need to disable security and OpenAPI feature flags. This can be done by the following two ways.
1. Helm Charts Customizationβ
Set the security flags to be disabled in your application by customizing helm chart values yaml.
feature:
kafka-events:
enabled: true
mongo:
enabled: true
security:
enabled: false
openapi:
enabled: false
webmvc:
enabled: false
For more info about Helm charts, please refer to Product Documentation: Fully Customizable Helm Charts
2. Programatically excluding Classesβ
Exclude PlatformSecurityAutoConfiguration.class from Spring Boot Application Class loading. See below example:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.cloud.client.serviceregistry.ServiceRegistryAutoConfiguration;
import de.knowis.cp.common.security.autoconfiguration.PlatformSecurityAutoConfiguration;
@SpringBootApplication(exclude = {
MongoAutoConfiguration.class,
ServiceRegistryAutoConfiguration.class,
PlatformSecurityAutoConfiguration.class,
SecurityAutoConfiguration.class,
OAuth2ClientAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class} ,
scanBasePackages = { "de.k5.minutes.minutes.*" })
public class MINUTESApplication {
private static final Logger log = LoggerFactory.getLogger(MINUTESApplication.class);
private static final TimeZone UTC = getTimeZone("UTC");
public static void main(String[] args) {
SpringApplication.run(MINUTESApplication.class, args);
}
}
Congratulations! You've successfully disabled security, either selectively for specific REST endpoints or entirely for your Java Domain Service.