Spring Cloud Gateway Oauth2 Resource Server allow actuator endpoints

Question

I have a Spring Cloud Gateway running with this dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

And with this annotation in the main method:

@EnableWebFluxSecurity

In my properties file I have these properties:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak/realms/dpse-realm
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://keycloak/realms/dpse-realm/protocol/openid-connect/certs

When I do this above every call that go to gateway is required to have a valid JWT token issued by a keycloak server.

My question is how can I avoid the security when I call actuator endpoints.

At this time health check is required to have a token.

Answer 1

I was trying to find a property or another way than create a @Bean or @Configuration class.

But, at least, the correct answer for my particular problem is this:

@EnableWebFluxSecurity
public class SecurityConfiguration {

    private final WebEndpointProperties webEndpointProperties;

    public SecurityConfiguration(
            WebEndpointProperties webEndpointProperties) {
        this.webEndpointProperties = webEndpointProperties;
    }

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

        http.csrf()
            .disable()
            .authorizeExchange()
            .pathMatchers(webEndpointProperties.getBasePath() + "/health/**",
                    "/" + webEndpointProperties.getBasePath() + "/info/**")
            .permitAll()
            .and()
            .authorizeExchange()
            .anyExchange()
            .authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
        return http.build();
    }
}

Now it allows that actuator end point is permited and other calls have to be authenticated with token.