Open jmilkiewicz opened 6 years ago
at the moment you can achieve what you need using filter, as in the example below; possibly related annotation processing will be enhanced to allow for annotation only handling of such a case, but no ETA atm
class SecurityFilter extends AbstractSpecFilter {
@Override
public Optional<Operation> filterOperation(Operation operation, ApiDescription api, Map<String, List<String>> params, Map<String, String> cookies, Map<String, List<String>> headers) {
if ("security".equals(operation.getOperationId())) { // or whatever operationId..
operation.setSecurity(new ArrayList<>());
return Optional.of(operation);
}
return super.filterOperation(operation, api, params, cookies, headers);
}
}
in your case (usage of provided OpenApiResource
) you can specify filter providing fully qualified name in config object:
SwaggerConfiguration oasConfig = new SwaggerConfiguration()
.openAPI(oas)
.prettyPrint(true)
.filterClass("fully.qualified.SecurityFilter")
.resourcePackages(Stream.of("my.resources.package")
.collect(Collectors.toSet()));
Interestingly, it works on the SwaggerHub: security-override-test
bump
I found that simply adding io.swagger.v3.oas.annotations.security.SecurityRequirements
as an annotation will do what you want.
@RestController
class Controller {
@SecurityRequirements // This is it
@GetMapping("/api/v1/endpoint")
public String endpoint() {
return "no security required!";
}
}
At least for me this disabled all security requirements for the method.
Doesn't work for me with Swagger 2.1.13
To make @sbarfurth solution to work on latest Swagger, 2.1.13, you should also hack inside reader class. You also may place custom processing there, for example my security classes are annotated with @Secured
annotation, and I just remove global security info for classes without this annotation.
readerClass: my.SwaggerReader
prettyPrint: true
openAPI:
info:
title: MY REST API
or
swaggerConfiguration.readerClass("my.SwaggerReader");
then
public class SwaggerReader extends Reader {
@Override
protected Operation parseMethod(Class<?> cls,
Method method,
List<Parameter> globalParameters,
Produces methodProduces,
Produces classProduces,
Consumes methodConsumes,
Consumes classConsumes,
List<SecurityRequirement> classSecurityRequirements,
Optional<ExternalDocumentation> classExternalDocs,
Set<String> classTags,
List<Server> classServers,
boolean isSubresource,
RequestBody parentRequestBody,
ApiResponses parentResponses,
JsonView jsonViewAnnotation,
ApiResponse[] classResponses,
AnnotatedMethod annotatedMethod
) {
Operation parsedOperation = super.parseMethod(cls,
method,
globalParameters,
methodProduces,
classProduces,
methodConsumes,
classConsumes,
classSecurityRequirements,
classExternalDocs,
classTags,
classServers,
isSubresource,
parentRequestBody,
parentResponses,
jsonViewAnnotation,
classResponses,
annotatedMethod
);
SecurityRequirements security[] = method.getAnnotationsByType(SecurityRequirements.class);
if((security != null) && (security.length == 1) &&
((security[0].value() == null) || (security[0].value().length == 0))) {
parsedOperation.setSecurity(new ArrayList<>(0));
}
return parsedOperation;
}
}
and now this should work
@RestController
class Controller {
@SecurityRequirements // This is it
@GetMapping("/api/v1/endpoint")
public String endpoint() {
return "no security required!";
}
}
I am using swagger.core.v3 in version 2.0.2 to generate openAPI 3.0 definition files and I am having trouble to disable "security" for a particular endpoint. I have global securitySchemes and root security element defined:
And definition file is nicely generated:
According to OPEN API 3 spec https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#securityRequirementObject i shall be able to override global "security requirement" for an individual operation. I would like to "disable" JWT security for a few operations and according to https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject it can be done by
I simply wanna specify "NO Security" for a particular opetration:
I tried
security = {}
orsecurity = @SecurityRequirement(name ="")
but in both cases no security element within operation is generated at all....