Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Override global @SecurityRequirements with empty value on resource #382

Closed
yreifschneider opened this issue Jun 24, 2020 · 5 comments · Fixed by #395
Closed

Override global @SecurityRequirements with empty value on resource #382

yreifschneider opened this issue Jun 24, 2020 · 5 comments · Fixed by #395
Labels
question Further information is requested
Milestone
2.0.3

Comments

@yreifschneider
Copy link
Contributor

I have a JAX-RS Application with a global security configuration:

@OpenAPIDefinition(
    components = @Components(
        securitySchemes = {
            @SecurityScheme(
                securitySchemeName = "oauth2",
                type = SecuritySchemeType.OAUTH2,
                flows = @OAuthFlows(
                    password = @OAuthFlow(
                        tokenUrl = "/oauth/token",
                        scopes = {
                            @OAuthScope(name = "global", description = "access all")
                        }
                    )
                )
            )
        }
    ),
    security = {
        @SecurityRequirement(name = "oauth2", scopes = {"global"})
    }
)
public class RestApplication extends Application {

}

I want to remove this security requirement for a single resource, thus not requiring authentication for this endpoint. I tried to achieve this by specifying an empty @SecurityRequirements() annotation on the resource method like so:

@GET
@Path(value = "/view")
@SecurityRequirements
public Response view() {
// ...
}

However, this does not work. The generated specification does not reflect this annotation with an empty security requirement. Is there another way to achieve this, without removing the global security requirement definition?

I am building the application with Quarkus 1.5.2.Final which uses smallrye-open-api 1.2.4.
@MikeEdgar
Copy link
Member

@yreifschneider - did you try using an empty @SecurityScheme? If that doesn't work, I'll need to do a bit more research.

@yreifschneider
Copy link
Contributor Author

@MikeEdgar an empty @SecurityScheme does not work as well. I created a test case to demonstrate the desired behaviour at yreifschneider@d7aa92f. The problem is that io.smallrye.openapi.runtime.util.JandexUtil#getRepeatableAnnotation does not differentiate between an empty repeatable annotation and no annotation at all.

One possible solution would be to return an optional list to allow generation of an empty repeatable annotation. Do you think this is a viable solution?

@MikeEdgar
Copy link
Member

@yreifschneider - please try to annotate the class that does not require authorization with @PermitAll. Are you using @RolesAllowed anywhere in your application?

@MikeEdgar MikeEdgar added the question Further information is requested label Jul 14, 2020
@yreifschneider
Copy link
Contributor Author

@MikeEdgar Thanks for your response. @PermitAll does not change the output of the spec file. I also do not use the @RolesAllowed and other security annotations, because security is handled outside the Quarkus application in an API gateway. I just want to change the output of the generated OpenAPI spec file, preferably through annotations inside the org.eclipse.microprofile.openapi.annotations package.

@MikeEdgar MikeEdgar mentioned this issue Jul 15, 2020
Merged
@MikeEdgar MikeEdgar added this to the 2.0.3 milestone Jul 15, 2020
@MikeEdgar
Copy link
Member

@yreifschneider - please look for the ability to use an empty @SecurityRequirements annotation in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
2.0.3
Development

Successfully merging a pull request may close this issue.

Set empty security array for empty @SecurityRequirements MikeEdgar/smallrye-open-api
2 participants
@yreifschneider @MikeEdgar