Support for @SecurityRequirement on dynamic spring-data-rest controllers

[steffen-wollscheid]

Hi, using version 1.4.3 there is great support for spring-data-rest endpoint documentation.

Do you think it is possible to extend that support to the "@securityrequirement" annotation?

No matter whether it's placed on the interface anntotaed with "@RepositoryRestResource" or any of the methods within - there is just no "security" element on any of the paths.

Is this something you can add, or is the original annotation just not passed on to the dynamic controllers when they are created in spring-data-rest (version of spring-data-rest is 3.2.7.RELEASE as defined by spring-boot-starter-parent 2.2.7.RELEASE)?

It would be great if the behavior of the "@securityrequirement" annotation could be aligned with that of the "@PreAuthorize"/"@secured" annotations on RepositoryRestResources.

[bnasslahsen]

@steffen-wollscheid,

Such a feature is not yet planned.
You can add security requirements to your desired spring-data-rest endpoints using OpenApiCustomiser, and here is a sample code for that:

@Bean
public OpenAPI openAPI() {
	return new OpenAPI()
			.components(new Components().addSecuritySchemes("bearer-jwt",
					new SecurityScheme()
							.type(SecurityScheme.Type.HTTP)
							.scheme("bearer")
							.bearerFormat("JWT"))
			);
}

@Bean
public OpenApiCustomiser securityItemCustomiser() {
	return openApi -> openApi.getPaths().values().stream().flatMap(pathItem -> pathItem.readOperations().stream())
			.forEach(operation -> operation.addSecurityItem(new SecurityRequirement().addList("bearer-jwt")));
}

Please feel free to propose a PR, if you feel it useful for community to have the annotation support as well.