Merge pull request zalando#916 from zalando/disable-oauth

Disable OAuth when in NAKADI_OAUTH2_MODE=OFF
fbrns · Nov 6, 2018 · 80f23d7 · 80f23d7
2 parents 02bf998 + a48f8f2
commit 80f23d7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/docs/_documentation/faq.md b/docs/_documentation/faq.md
@@ -83,8 +83,6 @@ The default behavior when running the docker containers locally will be for OAut
 
 If you are running a Nakadi server locally outside docker, you can disable token checks by setting the environment variable `NAKADI_OAUTH2_MODE` to `OFF` before starting the server.
 
-Note that, even if OAuth is disabled using the `NAKADI_OAUTH2_MODE` environment variable, the current behavior will be to check a token if one is sent by a client so you might need to configure the client to also not send tokens.
-
 #### I want to send arbitrary JSON, how do I avoid defining a JSON Schema?
 
 The standard workaround is to define an event type with the following category and schema:

diff --git a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java
@@ -10,6 +10,9 @@
 import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
@@ -201,4 +204,16 @@ private static Status fromStatusCode(final int code) throws UnknownStatusCodeExc
         }
         throw new UnknownStatusCodeException("Unknown status code: " + code);
     }
+
+    @Configuration
+    @EnableWebSecurity
+    public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+        @Override
+        public void configure(final WebSecurity web) throws Exception {
+            if (settings.getAuthMode() == SecuritySettings.AuthMode.OFF) {
+                web.ignoring().anyRequest();
+            }
+        }
+    }
+
 }