How to disable the custom atlassian spring boot interceptors for certain paths?

Hello, everybody,

I have started to implement a plugin with the Atlassian Spring Boot Starter package.

My plugin should also be able to deliver data over REST endpoints to other applications. For this I want to implement the Swagger UI to show all available endpoints to my clients.

Unfortunately this does not work without problems. In the Atlassian Spring Boot dependency a “RequireAuthenticationHandlerInterceptor” is registered. It checks the JWT token, which must be delivered with every request. You can skip this interceptor by setting an @IgnoreJwt annotation to the controller method. Unfortunately this is not possible with Swagger UI. Swagger internally calls the endpoints “swagger-resources/configuration/ui” and “swagger-resources/configuration/security”, which of course do not have the annotation “@IgnoreJwt”. This means that these requests always return "401 Forbidden " and therefore Swagger UI is not loaded.

Do you have an idea how I can delete the Interceptor “RequireAuthenticationHandlerInterceptor” from the list of Interceptors and register my CustomRequireAuthenticationHandlerInterceptor" with whitelisted paths? Or is there another solution for this problem?

The following does not work:

@Configuration
public class TestConfiguration implements WebMvcConfigurer {

    private static final Logger LOG = LoggerFactory.getLogger(TestConfiguration.class);

    private static final String[] AUTH_WHITELIST = { "/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security",
            "/swagger-ui.html", "/webjars/**", "/swagger-resources/configuration/ui", "/swagger-ui.html" };

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new RequireAuthenticationHandlerInterceptor()).excludePathPatterns(AUTH_WHITELIST);
    }

}

I also tried to make the function “List getInterceptors()” in “InterceptorRegistry.java” public via reflection and then remove the one which is registered by Atlassian and add the same Interceptor with whitelisted paths. This is also not working. My implementation of “WebMvcConfigurer” is always executed before the bean class “AtlassianConnectWebMvcAutoConfiguration”. In that case the list of interceptors is empty.

Excluding the bean “AtlassianConnectWebMvcAutoConfiguration” with the following annotation is also not working. I is nevertheless always executed

@ComponentScan(basePackages = "x.y.z", excludeFilters = {
        @ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, value = AtlassianConnectWebMvcAutoConfiguration.class) })

A possible solution could be to make includePatterns and exlucePatterns for “AtlassianConnectWebMvcAutoConfiguration” configurable.

Thanks in advance for your help

Hi @muca,

welcome to the community, sorry for the late reply, and thanks for suggesting a solution to your problem :slight_smile:

This was possible in Spring Boot 1.x using security.ignored, but the feature was lost in the upgrade to 2.0. I have raised PR 80 for this.

2 Likes

Hi @epehrson,

great, thank you! This is exactly the change I had in mind.

Best,
muca

This is now available in version 2.0.5 :slight_smile:

2 Likes

Thank you, @epehrson!!! :slight_smile:

Hi @muca ,

I still don’t get it how you managed to get it working. Would you share your experience? Thank you in advance.

Regards,
Philip

Hi @fkasapov,

per the library README, you can use the configuration property atlassian.connect.require-auth-exclude-paths to expose unauthenticated endpoints.