@@ -139,6 +139,8 @@ public static final class Builder {
139139 private int port = DEFAULT_PORT ;
140140 private int shutdownTimeoutSeconds = 0 ;
141141 private final LinkedHashMap <String , HttpHandler > extras = new LinkedHashMap <>();
142+ private final Map <String , SchemeValidator > securityValidators = new LinkedHashMap <>();
143+ private boolean externalAuth = false ;
142144
143145 private Builder () {}
144146
@@ -182,6 +184,30 @@ public Builder interceptor(RequestInterceptor interceptor) {
182184 return this ;
183185 }
184186
187+ /**
188+ * Registers a {@link SchemeValidator} for the OpenAPI security scheme named {@code schemeName}.
189+ * The library extracts a {@link Credential} per request and hands it to this callback; return a
190+ * non-empty {@link Optional} carrying the principal on success, or {@link Optional#empty()} to
191+ * deny. Library renders 401/403 on denial.
192+ */
193+ public Builder securityValidator (String schemeName , SchemeValidator validator ) {
194+ requireNonNull (schemeName , "schemeName must not be null" );
195+ requireNonNull (validator , "validator must not be null" );
196+ securityValidators .put (schemeName , validator );
197+ return this ;
198+ }
199+
200+ /**
201+ * Opts out of in-process security enforcement. Use when an external sidecar (OPA/Envoy etc.)
202+ * authenticates requests upstream. The library still parses {@code securitySchemes} into the
203+ * {@link Spec}, but {@code SecurityFilter} short-circuits and the boot-time
204+ * validator-registration check is skipped.
205+ */
206+ public Builder useExternalAuthentication () {
207+ this .externalAuth = true ;
208+ return this ;
209+ }
210+
185211 public Builder exceptionHandler (ExceptionHandler exceptionHandler ) {
186212 this .exceptionHandler = exceptionHandler ;
187213 return this ;
0 commit comments