I have a Spring Cloud Gateway running with this dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
And with this annotation in the main method:
@EnableWebFluxSecurity
In my properties file I have these properties:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak/realms/dpse-realm
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://keycloak/realms/dpse-realm/protocol/openid-connect/certs
When I do this above every call that go to gateway is required to have a valid JWT token issued by a keycloak server.
My question is how can I avoid the security when I call actuator endpoints.
At this time health check is required to have a token.
I was trying to find a property or another way than create a @Bean or @Configuration class.
But, at least, the correct answer for my particular problem is this:
@EnableWebFluxSecurity
public class SecurityConfiguration {
private final WebEndpointProperties webEndpointProperties;
public SecurityConfiguration(
WebEndpointProperties webEndpointProperties) {
this.webEndpointProperties = webEndpointProperties;
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.csrf()
.disable()
.authorizeExchange()
.pathMatchers(webEndpointProperties.getBasePath() + "/health/**",
"/" + webEndpointProperties.getBasePath() + "/info/**")
.permitAll()
.and()
.authorizeExchange()
.anyExchange()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}
Now it allows that actuator end point is permited and other calls have to be authenticated with token.