在浏览器会话/本地存储中保护Swagger和Oauth2令牌存储中的API可见性

时间:2017-12-20 18:01:22

标签: spring authentication spring-boot oauth-2.0 swagger-2.0

我使用以下配置创建了Spring Boot Swagger API。我创建了OAUth2并集成在Swagger配置中。一切正常,我能够看到右上方的授权按钮。所有Apis都使用Oauth2保护,用户只有在成功验证后才能获取API的详细信息。

enter image description here

现在我面临的两个问题是

  1. 通过OAuth2(授权按钮)成功验证后,我能够点击所有服务并获得所有响应,但是当我重新加载页面时,我成功验证后获得的访问令牌即将关闭.Is有任何方法可以在浏览器会话/本地存储中存储访问令牌

  2. 现在,即使没有身份验证,所有用户也可以看到我的项目中的所有Apis,当他们点击招摇网址时。有什么办法可以隐藏那些Rest Apis并且只有在成功之后才会显示它 认证。下面给出一个例子

    3. 认证前

    enter image description here

    身份验证后 enter image description here

    我的Spring Boot Swagger配置如下所示

    @Configuration
@EnableSwagger2
public class SwaggerConfig {

 @Bean
 public Docket userApi() {

  List < ResponseMessage > list = new java.util.ArrayList < > ();
  list.add(new ResponseMessageBuilder().code(500).message("500 message")
   .responseModel(new ModelRef("Result")).build());
  list.add(new ResponseMessageBuilder().code(401).message("Unauthorized")
   .responseModel(new ModelRef("Result")).build());
  list.add(new ResponseMessageBuilder().code(406).message("Not Acceptable")
   .responseModel(new ModelRef("Result")).build());


  return new Docket(DocumentationType.SWAGGER_2)
   .groupName("otrms-reports-api")
   .apiInfo(apiInfo())
   .select().apis(RequestHandlerSelectors.basePackage("com.otrms.reports"))
   .paths(PathSelectors.any())
   .build()
   .securitySchemes(newArrayList(oauth()))
   .securityContexts(newArrayList(securityContext()))
   .globalResponseMessage(RequestMethod.GET, list)
   .globalResponseMessage(RequestMethod.POST, list);
 }

 private ApiInfo apiInfo() {
  return new ApiInfoBuilder()
   .title("OTRMS")
   .description("OTRMS API for Reports")
   .termsOfServiceUrl("http://otrms.com")
   .contact(contact())
   .license("Apache License Version 2.0")
   .licenseUrl("http://otrms.com/service/LICENSE")
   .version("1.0")
   .build();
 }

 private Contact contact() {
  return new Contact("OTRMS", "http://otrms.com", "admin@otrms.com");
 }

 @Bean
 SecurityContext securityContext() {
  AuthorizationScope readScope = new AuthorizationScope("read:report", "read your report");
  AuthorizationScope[] scopes = new AuthorizationScope[1];
  scopes[0] = readScope;
  SecurityReference securityReference = SecurityReference.builder()
   .reference("report_auth")
   .scopes(scopes)
   .build();

  return SecurityContext.builder()
   .securityReferences(newArrayList(securityReference))
   .forPaths(ant("/api/pet.*"))
   .build();
 }

 @Bean
 SecurityScheme oauth() {
  return new OAuthBuilder()
   .name("report_auth")
   .grantTypes(grantTypes())
   .scopes(scopes())
   .build();
 }

 @Bean
 SecurityScheme apiKey() {
  return new ApiKey("header");
 }

 List < AuthorizationScope > scopes() {
  List < AuthorizationScope > scopes = Lists. < AuthorizationScope > newArrayList();
  scopes.add(new AuthorizationScope("resource-access", "Get Resource Access"));
  return scopes;
 }

 List < GrantType > grantTypes() {
  GrantType grantType = new ImplicitGrantBuilder()
   .loginEndpoint(new LoginEndpoint("http://otrms.com/auth/oauth/authorize"))
   .build();
  return newArrayList(grantType);
 }

 @Bean
 public SecurityConfiguration securityInfo() {
  return new SecurityConfiguration("swaggerClient", "", "reports", "reportstore", "123", ApiKeyVehicle.HEADER, "", " ");
 }
}

0 个答案:

没有答案
相关问题
最新问题