No longer able to map unauthenticated users to the FHIRUsers security-role

[albertwang-ibm]

We were using a configDropin to map special-subject EVERYONE to the FHIRUsers role (since authentication is being handled by a gateway).
Now, with the latest changes, this isn't working and it results in the health check failing with HTTP 401.

[lmsurpre]

Reproduced locally just by adding a config override like this:

    <!-- webApp security is provided via IAM in IBM Cloud -->
    <webAppSecurity singleSignonEnabled="false" useAuthenticationDataForUnprotectedResource="false"/>
    <webApplication id="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users" name="FHIRUsers">
                <special-subject type="EVERYONE"/>
            </security-role>
        </application-bnd>
    </webApplication>

and hitting a protected endpoint.

This used to work for providing unauthenticated access to the endpoints, but doesn't seem to work with our latest configs.
I tried adding an id back in to the default server.xml but it didn't seem to make a difference.

But I was NOT able to reproduce locally for the $healthcheck endpoint, so not sure what is going on there.

[lmsurpre]

I created a tiny reproducing case and openened it as an issue for OpenLiberty at OpenLiberty/open-liberty#12050.
We might need to revert the change to the use of @RolesAllowed until that can get addressed (or else come up with an alternative for our cloud deploy).

[lmsurpre]

Our workaround has been to add the Authorization header via our kubernetes ingress. That said, I really thought the Liberty team would have this addressed by now; we might need to do something here...

[prb112]

This feature is going to be in the next release of OpenLIberty

[lmsurpre]

I confirmed that this is working now by adding a configDropin with the following content to a local deploy;

<server>
    <webApplication id="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users" name="FHIRUsers">
                <special-subject type="EVERYONE"/>
            </security-role>
        </application-bnd>
    </webApplication>
</server>

with liberty 22.0.0.3 this is finally behaving as expected; I am able to invoke protected endpoints like $healthcheck without specifying a username/password:

$ curl -k -i 'https://localhost:9443/fhir-server/api/v4/$healthcheck'
HTTP/2 200 
date: Fri, 01 Apr 2022 19:05:37 GMT
content-length: 0
content-language: en-US