Bug: AbstractSecurityConfig sets security for all paths, even those excluded

[tuukkamustonen]

Description

The AbstractSecurityConfig adds OpenAPI securityScheme and security entries to the generated spec, but it does so at the root level of the spec, instead of per endpoint.

That is fine, as long as you apply the logic for all endpoints. But it also allows you to exclude certain paths from processing, and yet the security spec will apply for those endpoints, too. That is because it gets defined at the root level of the OpenAPI spec, instead of per path.

A local security will overwrite the global one, but if there's an endpoint without authentication, the security should not be added to the root of the spec as there won't be a local security declaration.

---

Related thing is that the AbstractAuthenticationMiddleware does not add security or securityScheme to the OpenAPI spec at all. You would kinda expect that it does, similar to FastAPI's SecurityBase inheritors (e.g. https://fastapi.tiangolo.com/tutorial/security/simple-oauth2). You have to separately provide security= in decorators/routers. But that's another thing, I guess.

MCVE

N/A at this point but ping if unclear and I'll add.

Litestar Version

2.4.5

Platform

• Linux
• Mac
• Windows
• Other (Please specify in the description above)

---

Note

While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.

Check out all issues funded or available for funding on our Polar.sh dashboard

• If you would like to see an issue prioritized, make a pledge towards it!
• We receive the pledge once the issue is completed & verified
• This, along with engagement in the community, helps us know which features are a priority to our users.