JobRunr Pro allows to define a set of rules to restrict the access to the JobRunr Pro Dashboard and its underlying REST API. In this guide, you will learn how to utilize the AnonymousAuthenticationProvider to implement authorization rules without the need for user authentication.
Prerequisites
- JobRunr Pro 7.0.0 or later
- You already know how to configure JobRunr
What is an AnonymousAuthenticationProvider
The AnonymousAuthenticationProvider is a simple authentication provider that allows you to specify authorization rules that are checked whenever we visit the dashboard and for all access to the REST API endpoints. This provider is primarily used for backward compatibility, as the previous behavior granted unrestricted access to all users, whether authenticated or not.
You may use this authentication provider to easily restrict access to specific resources. A good use-case is when your dashboard is only accessible in your internal network but you want to only enable read access in the dashboard and thus prohibiting the possibility to requeue or delete jobs, pause or trigger recurring jobs, etc.
Setting authorization rules using AnonymousAuthenticationProvider
JobRunr Pro’s default setting is an AnonymousAuthenticationProvider with allowAll authorization rules. If this aligns with your requirements, no further action is needed.
In this guide, we will provide two examples:
- Only allow
read-onlyaccess to the dashboard. - Only allow viewing and controlling recurring jobs (e.g.,
pause,resume,trigger, andedit schedule expressions).
1. Making the dashboard read-only
To make our JobRunr dashboard read-only, we need to modify our configuration as follows:
// ...
import org.jobrunr.dashboard.server.security.AnonymousAuthenticationProvider;
import static org.jobrunr.dashboard.server.security.JobRunrUserAuthorizationRules.readOnly;
// ...
JobRunrPro
.configure()
// ...
.useDashboard(usingStandardDashboardConfiguration()
// ...
.andAuthentication(new AnonymousAuthenticationProvider(readOnly()))
)
// ...
In Spring Boot, we can just create an AnonymousAuthenticationProvider Bean that will be automatically used by the jobrunr-spring-boot-3-starter:
@Bean
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(readOnly());
}
In Quarkus, we can just create an AnonymousAuthenticationProvider Bean that will be automatically used by the quarkus-jobrunr extension:
@Produces
@Singleton
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(readOnly());
}
In Micronaut, we can just create an AnonymousAuthenticationProvider Bean that will be automatically used by the jobrunr-micronaut-feature:
@Singleton
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(readOnly());
}
In the code snippet above, we imported the AnonymousAuthenticationProvider class and the static readOnly method from JobRunrUserAuthorizationRules to set the authorization rules of the authentication provider. Launching the application with this configuration will result in a HTTP Forbidden (403) for any access to endpoints that change the state of jobs, recurring jobs, or servers.
2. Only allow viewing and controlling of recurring jobs
JobRunr allows more flexible authorization rules configurations. In this example, we’ll configure the JobRunr Dashboard to only allow read, pause, resume, trigger and edit of recurring jobs.
This essentially forbids access to any other resources, including deleting recurring jobs!
To only viewing and controlling recurring jobs tab inside the JobRunr dashboard, we need to modify our configuration as follows:
// ...
import org.jobrunr.dashboard.server.security.AnonymousAuthenticationProvider;
import static org.jobrunr.dashboard.server.security.JobRunrUserAuthorizationRules.denyAll;
// ...
JobRunrPro
.configure()
// ...
.useDashboard(usingStandardDashboardConfiguration()
// ...
.andAuthentication(new AnonymousAuthenticationProvider(denyAll()
.canAccessRecurringJobs(true)
.canControlRecurringJobs(true)
.build()))
)
// ...
In Spring Boot, we can again just create an AnonymousAuthenticationProvider Bean and pass the correct JobRunrUserAuthorizationRules which will then be automatically used by the jobrunr-spring-boot-3-starter:
@Bean
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(denyAll()
.canAccessRecurringJobs(true)
.canControlRecurringJobs(true)
.build());
}
In Quarkus, we can again just create an AnonymousAuthenticationProvider Bean and pass the correct JobRunrUserAuthorizationRules which will then be automatically used by the quarkus-jobrunr extension:
@Produces
@Singleton
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(denyAll()
.canAccessRecurringJobs(true)
.canControlRecurringJobs(true)
.build());
}
In Micronaut, we can just create an AnonymousAuthenticationProvider Bean and pass the correct JobRunrUserAuthorizationRules which will then be automatically used by the jobrunr-micronaut-feature:
@Singleton
public AuthenticationProvider authenticationProvider() {
return new AnonymousAuthenticationProvider(denyAll()
.canAccessRecurringJobs(true)
.canControlRecurringJobs(true)
.build());
}
In the code snippet above, we imported the AnonymousAuthenticationProvider class and the denyAll method from JobRunrUserAuthorizationRulesBuilder to set the desired rules for accessing and controlling recurring jobs. Launching the dashboard with this configuration will restrict access to any other resources besides those explicitly enabled.
If
canAccessRecurringJobsis set tofalsethe recurring jobs page will no longer be accessible, you’ll need to use tools such ascurlto perform changes to the recurring jobs.
Limitations
It’s important to be aware of a limitation when using Anonymous Authentication with JobRunr Pro. The setup discussed in this guide requires that the JobRunr instance be restarted to update the authorization rules. This means that if you need to modify or fine-tune the access control rules, you will need to restart your JobRunr application.
Conclusion
In this guide, we’ve learned how to use AnonymousAuthenticationProvider in JobRunr Pro. With AnonymousAuthenticationProvider, you can set authorization rules without user authentication. This offers you precise control on how any user can access your JobRunr dashboard and REST API.