在Springfox和Spring MVC中配置安全模式和上下文

时间:2016-04-25 07:08:00

标签: java spring-mvc swagger-ui swagger-2.0 springfox

我使用Spring MVC实现了简单的REST服务。我决定用Springfox和Swagger 2.0来描述它们。在我开始添加安全模式和上下文之前,一切似乎都没问题。我对某些端点使用HTTP基本身份验证,对其他端点使用基于令牌的身份验证。无论我做什么,我都看不到任何设置HTTP Basic身份验证凭据或在Swagger UI中指定令牌的选项。以下是我的配置。为简单起见,我在这里将两个模式应用于所有端点。

@Configuration
@EnableSwagger2
public class SwaggerConfig {

    @Bean
    public Docket apiV1() {
      return new Docket(DocumentationType.SWAGGER_2)
        .select()
        .apis(RequestHandlerSelectors.any())
        .paths(PathSelectors.any())
        .build()
      .pathMapping("/api/v1")
      .securitySchemes(newArrayList(new BasicAuth("xBasic"), 
                                    new ApiKey("X-Auth-Token", "xAuthToken", "header")))
      .securityContexts(newArrayList(xBasicSecurityContext(), xAuthTokenSecurityContext()))
    }

    private SecurityContext xBasicSecurityContext() {
      SecurityContext.builder()
        .securityReferences(newArrayList(new SecurityReference("xBasic", 
                                                               new AuthorizationScope[0])))
        .build()
    }

    private SecurityContext xAuthTokenSecurityContext() {
      SecurityContext.builder()
        .securityReferences(newArrayList(new SecurityReference("xAuthToken", 
                                                               new AuthorizationScope[0])))
        .build()
    }

1 个答案:

答案 0 :(得分:2)

我尝试过这种方法:拆分Docket配置。这也迫使我也将API分为两组(和程序包),但最终还是一个不错的体系结构决定。

@Configuration
@EnableSwagger2
public class SwaggerConfig {

    @Bean
    public Docket authTokenSecuredApi() {
      return new Docket(DocumentationType.SWAGGER_2)
        .groupName("authTokenGroup") // 2 Dockets -> need to differ using groupName
        .select()
        .apis(RequestHandlerSelectors.basePackage("cz.bank.controller.package1"))
        .paths(PathSelectors.any())
        .build()
        .securitySchemes(Collections.singletonList(new ApiKey("X-Auth-Token", 
                                                              "xAuthToken",
                                                              "header")))
        .securityContexts(Collections.singletonList(xAuthTokenSecurityContext()));
    }

    @Bean
    public Docket basicAuthSecuredApi() {
      return new Docket(DocumentationType.SWAGGER_2)
        .groupName("basicAuthGroup") // 2 Dockets -> need to differ using groupName
        .select()
        .apis(RequestHandlerSelectors.basePackage("cz.bank.controller.package2"))
        .paths(PathSelectors.any())
        .build()
        .securitySchemes(Collections.singletonList(new BasicAuth("xBasic")))
        .securityContexts(Collections.singletonList(xBasicSecurityContext()));
    }

    private SecurityContext xBasicSecurityContext() {
      return SecurityContext.builder()
        .securityReferences(Collections.singletonList(
                              new SecurityReference("xBasic", 
                                                    new AuthorizationScope[0])))
        .build();
    }

    private SecurityContext xAuthTokenSecurityContext() {
      return SecurityContext.builder()
        .securityReferences(Collections.singletonList(
                              new SecurityReference("xAuthToken", 
                                                    new AuthorizationScope[0])))
        .build();
    }
}

说实话,我宁愿使用authorizations@ApiOperation Swagger注释的@Api属性直接在控制器中配置授权。但是根据this springfox“功能”,它不适用于@Api注释,这导致将其复制到每个@ApiOperation上,从而导致不整洁的丑陋罪恶代码:-)

相关问题
最新问题