Swagger - /api-docs 的自定义身份验证
Swagger - Custom authentication for /api-docs
我们有一个 Spring 5,非 Spring 引导应用程序,使用 Springfox 2.9.2 + Swagger UI.
我不知道如何保护 /api-docs 端点:我希望它在每次访问时调用我的身份验证函数。我让它适用于 swagger-ui.html,但没有成功用于 /api-docs。这是我得到的。
@Configuration
@EnableSwagger2
@EnableWebMvc
public class SwaggerConfig implements WebMvcConfigurer {
@Autowired
protected AuthService authService;
@Override
public void addViewControllers(ViewControllerRegistry registry) {
// registry.addViewController("/docs/swagger/api-docs"); doesnt work
registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/ui", "/swagger-resources/configuration/ui");
registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/security", "/swagger-resources/configuration/security");
registry.addRedirectViewController("/docs/swagger/swagger-resources", "/swagger-resources");
}
class Interceptor implements HandlerInterceptor{
@Override
public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler ) {
try{
authService.assertAdmin(); // I need to call this
}catch (Exception e){
return false;
}
return true;
}
}
@Override
public void addInterceptors( final InterceptorRegistry registry) {
registry.addInterceptor(new Interceptor());
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
// docs/swagger/index.html
registry.addResourceHandler("/docs/swagger/swagger-ui.html**")
.addResourceLocations("classpath:/META-INF/resources/swagger-ui.html");
// docs/swagger/webjars
registry.addResourceHandler("/docs/swagger/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
}
另一种选择是永久关闭对 /api-docs 的访问,直接调用从某个新端点生成 JSON 的方法。可以吗?
最终我按照@UsamaAmjad 的建议通过spring 安全解决了这个问题。
open class SecurityInitializer : AbstractSecurityWebApplicationInitializer()
@Configuration
@EnableWebSecurity
open class SecurityConfig : WebSecurityConfigurerAdapter() {
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
http.antMatcher("/docs/swagger/v2/api-docs").addFilter(myFilter())
}
open fun myFilter() = object : FilterSecurityInterceptor() {
override fun doFilter(request: ServletRequest?, response: ServletResponse?, chain: FilterChain?) {
if (do your stuff here) {
chain!!.doFilter(request,response) // continue with other filters
} else {
super.doFilter(request, response, chain) // filter this request
}
}
}
}
我们有一个 Spring 5,非 Spring 引导应用程序,使用 Springfox 2.9.2 + Swagger UI.
我不知道如何保护 /api-docs 端点:我希望它在每次访问时调用我的身份验证函数。我让它适用于 swagger-ui.html,但没有成功用于 /api-docs。这是我得到的。
@Configuration
@EnableSwagger2
@EnableWebMvc
public class SwaggerConfig implements WebMvcConfigurer {
@Autowired
protected AuthService authService;
@Override
public void addViewControllers(ViewControllerRegistry registry) {
// registry.addViewController("/docs/swagger/api-docs"); doesnt work
registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/ui", "/swagger-resources/configuration/ui");
registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/security", "/swagger-resources/configuration/security");
registry.addRedirectViewController("/docs/swagger/swagger-resources", "/swagger-resources");
}
class Interceptor implements HandlerInterceptor{
@Override
public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler ) {
try{
authService.assertAdmin(); // I need to call this
}catch (Exception e){
return false;
}
return true;
}
}
@Override
public void addInterceptors( final InterceptorRegistry registry) {
registry.addInterceptor(new Interceptor());
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
// docs/swagger/index.html
registry.addResourceHandler("/docs/swagger/swagger-ui.html**")
.addResourceLocations("classpath:/META-INF/resources/swagger-ui.html");
// docs/swagger/webjars
registry.addResourceHandler("/docs/swagger/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
}
另一种选择是永久关闭对 /api-docs 的访问,直接调用从某个新端点生成 JSON 的方法。可以吗?
最终我按照@UsamaAmjad 的建议通过spring 安全解决了这个问题。
open class SecurityInitializer : AbstractSecurityWebApplicationInitializer()
@Configuration
@EnableWebSecurity
open class SecurityConfig : WebSecurityConfigurerAdapter() {
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
http.antMatcher("/docs/swagger/v2/api-docs").addFilter(myFilter())
}
open fun myFilter() = object : FilterSecurityInterceptor() {
override fun doFilter(request: ServletRequest?, response: ServletResponse?, chain: FilterChain?) {
if (do your stuff here) {
chain!!.doFilter(request,response) // continue with other filters
} else {
super.doFilter(request, response, chain) // filter this request
}
}
}
}