Reputation: 17657
How to disable security in Quarkus
I´ve implemented JWT RBAC in my Quarkus application, but I don´t want to provide tokens whenever I´m testing my application locally.
EDIT:
What I´ve tried so far are setting these properties to "false" without any effect.
quarkus.oauth2.enabled=false
quarkus.security.enabled=false
quarkus.smallrye-jwt.enabled=false
Currently I´ve commented out all of
//@RolesAllowed({"user"})
to "disable" auth locally.
Is there any property to disable security / enable endpoints for any given role?
Upvotes: 11
Views: 9067
Answers (5)
Reputation: 156
In my unit tests what caused the tests try to connect to OIDC server, even with
quarkus.oidc.enabled=false
quarkus.keycloak.devservices.enabled=false
quarkus.http.auth.proactive=false
quarkus.security.auth.enabled-in-dev-mode=false
was the
quarkus.oidc-client.token-path
property, setted.
Obviously (not for me btw) even if you tell Quarkus not to enable OIDC and you are to lazy to delete token-path, well Quarkus just say: "oh you are setting that value, so even if are telling me you dont' want OIDC, well i bet you want it!"
just delete it in the application-test.properties
Upvotes: 0
Reputation: 1627
Late to the party but maybe helpful for future visitors of this question: Since Quarkus 2.8 there is a configuration option to disable authorization: quarkus.security.auth.enabled-in-dev-mode.
I'm using this for the dev profile in my application.yaml:
"%dev":
quarkus:
security:
auth:
enabled-in-dev-mode: false
Info on this property: https://quarkus.io/guides/security-customization#disabling-authorization
And for unit tests you don't need to disable authorization but can use the annotation io.quarkus.test.security.TestSecurity on test classes or methods that require role-based authentication, it's part of dependency io.quarkus:quarkus-test-security.
Example for testing an endpoint with a security context that has an authenticated user with role read-all:
@QuarkusTest
@TestSecurity(user = "testUser", roles = {"read-all"})
public class MyEndToEndTestWithAuth { // ...
More information: https://quarkus.io/guides/security-testing#testing-security
Note that I also use the following config for test profile to disable the OIDC tenant to avoid startup failure, maybe you need this, too:
"%test":
quarkus:
oidc:
tenant-enabled: false
Upvotes: 4
Reputation: 141
Use following quarkus configuration:
quarkus.http.auth.proactive=false
Upvotes: 3
Reputation: 136
You can implement an AuthorizationController (io.quarkus.security.spi.runtime.AuthorizationController)
public class DisabledAuthController extends AuthorizationController {
@ConfigProperty(name = "disable.authorization")
boolean disableAuthorization;
@Override
public boolean isAuthorizationEnabled() {
return disableAuthorization;
}
}
In Quarkus guides, you can find more information
https://quarkus.io/guides/security-customization#disabling-authorization
Upvotes: 5
Reputation: 3334
It looks like you are using MicroProfile JWT RBAC, so set this: quarkus.smallrye-jwt.enabled=false
A broader FYI, you can find the JWT RBAC properties here, in the context of all available properties too.
Upvotes: 2
Related Questions
- How to retrieve SecurityContext in a Quarkus application?
- Manually log in user using Quarkus
- Reducing java security settings
- Securing resources served from META-INF/resources with authentication in quarkus
- How to configure JPA security for Quarkus (Getting NullPointerException)?
- In openjdk, security policies are not taking effect
- Completely disable Java security mechanism?
- How to lower the Java Security setting for testing in Java 8
- Java Security Manager: how to specify "No Permission"?
- How to disable Java security manager?