9

I´ve implemented JWT RBAC in my Quarkus application, but I don´t want to provide tokens whenever I´m testing my application locally.

EDIT:

What I´ve tried so far are setting these properties to "false" without any effect.

quarkus.oauth2.enabled=false
quarkus.security.enabled=false
quarkus.smallrye-jwt.enabled=false

Currently I´ve commented out all of 

 //@RolesAllowed({"user"})

to "disable" auth locally.

Is there any property to disable security / enable endpoints for any given role?

Marian Klühspies
  • 15,824
  • 16
  • 93
  • 136
  • Have you tried `quarkus.[oauth|oidc].enabled=false`? All in all, I doubt that this is possible. Keep in mind that some endpoints may require information from the token (e.g. the logged in user). – Turing85 Jan 16 '20 at 17:37
  • @Turing85 at least oauth2,enabled=false, see my edit above – Marian Klühspies Jan 17 '20 at 10:32

3 Answers3

5

You can implement an AuthorizationController (io.quarkus.security.spi.runtime.AuthorizationController)

public class DisabledAuthController extends AuthorizationController {
    @ConfigProperty(name = "disable.authorization")
    boolean disableAuthorization;

    @Override
    public boolean isAuthorizationEnabled() {
        return disableAuthorization;
    }
}

In Quarkus guides, you can find more information

https://quarkus.io/guides/security-customization#disabling-authorization

J.García
  • 136
  • 2
  • 4
  • 1
    You can also define a property quarkus.security.auth.enabled-in-dev-mode=false for the same result, except the option only works in dev/test mode. – KnechtRootrecht Jan 02 '23 at 19:30
2

Use following quarkus configuration:

quarkus.http.auth.proactive=false
Timi Ruprecht
  • 131
  • 1
  • 4
1

It looks like you are using MicroProfile JWT RBAC, so set this: quarkus.smallrye-jwt.enabled=false

A broader FYI, you can find the JWT RBAC properties here, in the context of all available properties too.

John Clingan
  • 3,324
  • 21
  • 13
  • Thanks. I´ve tried that and it may indeed disable JWT, but my routes still require roles to authorize calls – Marian Klühspies Jan 17 '20 at 08:01
  • 1
    To get there in a roundabout way (minimal effort, IMHO), keep the quarkus.smallrye-jwt.enabled=false setting, and then use the property file security realm (https://quarkus.io/guides/security-properties#properties-files-realm-configuration). Prefix each of these properties with %test in application.properties (or instead define via env or system properties) so they only run during tests. application.properties example: %test.quarkus.smallrye-jwt.enabled=false, %test.quarkus.security.users.file.enabled=true, etc, etc. – John Clingan Jan 17 '20 at 21:23