Misleading configuration documentation

[esnible]

Current Behavior

The documentation https://docs.dependencytrack.org/getting-started/configuration/#default-configuration mentions the properties alpine.enforce.authentication and alpine.enforce.authorization.

I believed these properties could be set to false. I did set them to false, and was able to read the user list without a valid API key, e.g. curl localhost:8081/api/v1/team

After getting success reading the team, I attempted to upload SBOMs with autoCreate=true without a valid key, but got The principal does not have permission to create project.. I thought I was doing something wrong. I could do some things, such as uploading a BOM to an existing project, but not others. I also had different success with some REST endpoints running 4.8.2 in Docker vs in Kubernetes.

After reading #2166 (comment) I realized that I was not allowed to disable security this way.

Steps to Reproduce

1. Create Dependency-Track in Kubernetes with

    environment:
      - ALPINE_ENFORCE_AUTHENTICATION="false"
      - ALPINE_ENFORCE_AUTHORIZATION="false"

Expected Behavior

The behavior is fine; the documentation should mention that it is a bad idea to use these properties.

I was using Kubernetes KIND.

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.