Add Spring Security configuration for API Gateway Spring Boot 4 compatibility

[yousfiSaad]

Summary

This PR adds required Spring Security configuration for the API Gateway when
using Spring Boot 4 with spring-boot-starter-security dependency.

Problem

Spring Boot 4 requires explicit security configuration when spring-boot-starter-security
is present. Without it, the default security filters block all requests.

Solution

Add SecurityConfig that permits all requests for the demo application while
disabling default security filters (httpBasic, formLogin, csrf, cors).

Changes

• spring-petclinic-api-gateway/pom.xml: Add spring-boot-starter-security dependency
• spring-petclinic-api-gateway/src/main/java/.../api/config/SecurityConfig.java: NEW

Related Issues

Related to #306

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arey]

Thank you for your pull request, @yousfiSaad.
I'm OK with updating to Spring Boot 4 Admin. However, I would prefer to wait for a stable release version, rather than a milestone.

The issue (#306) does not seem to affect the Spring Boot UI. I don't understand what problem you are trying to solve.
Do you mean that Spring Boot Admin does not handle Docker deployment? Did you have yourself any issue on your device?

[yousfiSaad]

Hi @arey, thank you for the review!

I believe there may be some confusion between PR #508 (Spring Boot Admin) and this PR #509 (API Gateway Security). These are two separate pull requests addressing different issues:

PR #509 (This PR) - API Gateway Security Configuration

This PR adds required Spring Security configuration for the API Gateway specifically (not Spring Boot Admin).

The problem this solves:
When Spring Boot 4's spring-boot-starter-security dependency is on the classpath (which is required for proper Spring Boot 4 compatibility in the API Gateway), Spring Security auto-configures by default and blocks all HTTP requests with a 401 Unauthorized response. This is a breaking change from Spring Boot 3.

Evidence of the issue:

• Without this SecurityConfig, the API Gateway returns 401 Unauthorized for ALL requests
• This is a documented breaking change in Spring Boot 4: when spring-boot-starter-security is present, you must explicitly configure a SecurityWebFilterChain bean
• The demo application cannot function when the gateway blocks all inter-service communication

The solution:
This PR adds a SecurityConfig that permits all requests (appropriate for this demo app). Without this, the entire microservices demo fails because the gateway blocks everything.

[arey]

Sorry, but I don't see the point of this PR because the app isn't using the spring-boot-starter-security. Am I missing something?

[yousfiSaad]

@arey You're absolutely right - I apologize for the confusion.

After further investigation, I discovered that spring-boot-starter-security is indeed NOT on the classpath of the API Gateway. The 401 Unauthorized responses I was seeing were caused by something else entirely (likely authentication configured in the external Spring Cloud Config repository, not local Spring Security auto-configuration).

My original diagnosis was incorrect. The issue I was trying to solve was:

• The root path / was returning 401 with WWW-Authenticate: Basic
• Static resources (/index.html, /css/*) worked fine
• I incorrectly assumed Spring Boot 4 was auto-configuring Spring Security

This PR should be closed as it addresses a non-existent problem. Thank you for catching this!

For context, I was investigating why the API Gateway requires authentication on certain routes, but that's a separate issue unrelated to Spring Boot 4 security requirements.