search

stcarrez / swagger-ada

Ada support for OpenAPI code generator
Apache License 2.0
27 stars 3 forks source link

Security is always required #7

Closed mgrojo closed 2 years ago

mgrojo commented 2 years ago

When using swagger for Java, if the openapi specification has no security section, no authentication is required, but for swagger-ada, it seems to be always active. I had to comment-out these lines to disable authentication:

$ git diff
diff --git a/src/server/swagger-servers-applications.adb b/src/server/swagger-servers-applications.adb
index 6e37996..2748194 100644
--- a/src/server/swagger-servers-applications.adb
+++ b/src/server/swagger-servers-applications.adb
@@ -38,27 +38,27 @@ package body Swagger.Servers.Applications is
       Cfg.Set ("view.dir", Dir & ";" & Swagger.Servers.Config.WEB_DIR);
       App.Set_Init_Parameters (Cfg);

-      App.Realm.Load (Config, Config.Get ("swagger.users", "users"));
-      App.Apps.Load (Config, Config.Get ("swagger.apps", "apps"));
-      App.Filter.Set_Auth_Manager (App.Auth'Unchecked_Access);
+      -- App.Realm.Load (Config, Config.Get ("swagger.users", "users"));
+      -- App.Apps.Load (Config, Config.Get ("swagger.apps", "apps"));
+      -- App.Filter.Set_Auth_Manager (App.Auth'Unchecked_Access);

-      --  Configure the authorization manager.
-      App.Auth.Set_Application_Manager (App.Apps'Unchecked_Access);
-      App.Auth.Set_Realm_Manager (App.Realm'Unchecked_Access);
-      App.OAuth.Set_Auth_Manager (App.Auth'Unchecked_Access);
-      App.Auth.Set_Private_Key (Key);
+      -- --  Configure the authorization manager.
+      -- App.Auth.Set_Application_Manager (App.Apps'Unchecked_Access);
+      -- App.Auth.Set_Realm_Manager (App.Realm'Unchecked_Access);
+      -- App.OAuth.Set_Auth_Manager (App.Auth'Unchecked_Access);
+      -- App.Auth.Set_Private_Key (Key);

       --  Register the servlets and filters
-      App.Add_Filter (Name   => "oauth", Filter => App.Filter'Unchecked_Access);
+      -- App.Add_Filter (Name   => "oauth", Filter => App.Filter'Unchecked_Access);
      App.Add_Servlet (Name => "api", Server => App.Api'Unchecked_Access);
       App.Add_Servlet (Name => "files", Server => App.Files'Unchecked_Access);
-      App.Add_Servlet (Name => "oauth", Server => App.OAuth'Unchecked_Access);
+      --App.Add_Servlet (Name => "oauth", Server => App.OAuth'Unchecked_Access);

       --  Define servlet mappings
       App.Add_Mapping (Name => "api", Pattern => "/*");
       App.Add_Mapping (Name => "files", Pattern => "/swagger/*.json");
-      App.Add_Mapping (Name => "oauth", Pattern => "/oauth/token");
-      App.Add_Filter_Mapping (Name => "oauth", Pattern => "/*");
+      --App.Add_Mapping (Name => "oauth", Pattern => "/oauth/token");
+      --App.Add_Filter_Mapping (Name => "oauth", Pattern => "/*");
       if UI_Enable then
          App.Add_Mapping (Name => "files", Pattern => "/ui/*.html");
          App.Add_Mapping (Name => "files", Pattern => "/ui/*.js");

Shouldn't be there a way to disable the authentication requirement, through the generated code when there is no security object in the openapi file, or at least to be able to disable it through configuration at runtime in the server?

mgrojo commented 2 years ago

Sorry, I think I was confused by something. It works now as expected (no authentication required) when the openapi file does not contain any security object.