From 7b111e572b19261c06e3a184d33567b2b23cea52 Mon Sep 17 00:00:00 2001
From: Andrey Dyachkov <andrey.dyachkov@zalando.de>
Date: Mon, 23 Jul 2018 15:41:08 +0200
Subject: [PATCH 1/2] disable oauth when in NAKADI_OAUTH2_MODE=OFF

---
 .../nakadi/config/SecurityConfiguration.java        | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java
index b57de03e68..97be27d6ac 100644
--- a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java
+++ b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java
@@ -10,6 +10,9 @@
 import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
@@ -189,5 +192,15 @@ public String getDetail() {
         }
     }
 
+    @Configuration
+    @EnableWebSecurity
+    public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+        @Override
+        public void configure(final WebSecurity web) throws Exception {
+            if (settings.getAuthMode() == SecuritySettings.AuthMode.OFF) {
+                web.ignoring().anyRequest();
+            }
+        }
+    }
 
 }

From 3395dff7be2a20dac33bdfe872139e77444e885a Mon Sep 17 00:00:00 2001
From: Andrey Dyachkov <andrey.dyachkov@zalando.de>
Date: Mon, 30 Jul 2018 08:24:09 +0200
Subject: [PATCH 2/2] updated fqg docs

---
 docs/_documentation/faq.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docs/_documentation/faq.md b/docs/_documentation/faq.md
index 9844febdf0..46a0868fb9 100644
--- a/docs/_documentation/faq.md
+++ b/docs/_documentation/faq.md
@@ -83,8 +83,6 @@ The default behavior when running the docker containers locally will be for OAut
 
 If you are running a Nakadi server locally outside docker, you can disable token checks by setting the environment variable `NAKADI_OAUTH2_MODE` to `OFF` before starting the server.
 
-Note that, even if OAuth is disabled using the `NAKADI_OAUTH2_MODE` environment variable, the current behavior will be to check a token if one is sent by a client so you might need to configure the client to also not send tokens.
-
 #### I want to send arbitrary JSON, how do I avoid defining a JSON Schema?
 
 The standard workaround is to define an event type with the following category and schema: