问题描述
我使用 Spring MVC 实现了简单的 REST 服务.我决定用 Springfox 和 Swagger 2.0 来描述它们.在我开始添加安全模式和上下文之前,一切似乎都很好.我对某些端点使用 HTTP 基本身份验证,对其他端点使用基于令牌的身份验证.无论我做什么,我都看不到任何用于设置 HTTP 基本身份验证凭据或在 Swagger UI 中指定令牌的选项.下面是我的配置.为简单起见,我将这两种模式应用于此处的所有端点.
I have simple REST services implemented with Spring MVC. I decided to describe them with Springfox and Swagger 2.0. Everything seemed to be OK until I started adding security schemas and contexts. I use HTTP Basic authentication for certain endpoints and token-based authentication for others. Whatever I do, I cannot see any option to set HTTP Basic authentication credentials or to specify a token in Swagger UI. Below is my configuration. For simplicity's sake I apply both schemas to all endpoints here.
@Configuration
@EnableSwagger2
public class SwaggerConfig {
@Bean
public Docket apiV1() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.any())
.paths(PathSelectors.any())
.build()
.pathMapping("/api/v1")
.securitySchemes(newArrayList(new BasicAuth("xBasic"),
new ApiKey("X-Auth-Token", "xAuthToken", "header")))
.securityContexts(newArrayList(xBasicSecurityContext(), xAuthTokenSecurityContext()))
}
private SecurityContext xBasicSecurityContext() {
SecurityContext.builder()
.securityReferences(newArrayList(new SecurityReference("xBasic",
new AuthorizationScope[0])))
.build()
}
private SecurityContext xAuthTokenSecurityContext() {
SecurityContext.builder()
.securityReferences(newArrayList(new SecurityReference("xAuthToken",
new AuthorizationScope[0])))
.build()
}
推荐答案
我尝试过这种方法:拆分 Docket 配置.这也迫使我将 API 分成两组(和包),但最终这是一个很好的架构决策.
I have tried this approach: to split Docket config. It forced me also to split API into two groups (and packages), but in the end it was a good architectural decision.
@Configuration
@EnableSwagger2
public class SwaggerConfig {
@Bean
public Docket authTokenSecuredApi() {
return new Docket(DocumentationType.SWAGGER_2)
.groupName("authTokenGroup") // 2 Dockets -> need to differ using groupName
.select()
.apis(RequestHandlerSelectors.basePackage("cz.bank.controller.package1"))
.paths(PathSelectors.any())
.build()
.securitySchemes(Collections.singletonList(new ApiKey("X-Auth-Token",
"xAuthToken",
"header")))
.securityContexts(Collections.singletonList(xAuthTokenSecurityContext()));
}
@Bean
public Docket basicAuthSecuredApi() {
return new Docket(DocumentationType.SWAGGER_2)
.groupName("basicAuthGroup") // 2 Dockets -> need to differ using groupName
.select()
.apis(RequestHandlerSelectors.basePackage("cz.bank.controller.package2"))
.paths(PathSelectors.any())
.build()
.securitySchemes(Collections.singletonList(new BasicAuth("xBasic")))
.securityContexts(Collections.singletonList(xBasicSecurityContext()));
}
private SecurityContext xBasicSecurityContext() {
return SecurityContext.builder()
.securityReferences(Collections.singletonList(
new SecurityReference("xBasic",
new AuthorizationScope[0])))
.build();
}
private SecurityContext xAuthTokenSecurityContext() {
return SecurityContext.builder()
.securityReferences(Collections.singletonList(
new SecurityReference("xAuthToken",
new AuthorizationScope[0])))
.build();
}
}
说实话,我更喜欢直接在控制器中配置授权,使用@ApiOperation的authorizations属性或@Api Swagger注解.但是根据 this springfox功能",它不起作用在 @Api 注释上,这会导致将其复制到每个 @ApiOperation 中,从而导致不整洁、令人讨厌的有罪的代码 :-)
To tell the truth, I would prefer to configure authorization directly in controllers, using authorizations attribute of @ApiOperation or @Api Swagger annotations. But accorging to this springfox "feature", it does not work on @Api annotation, which causes to copy it to every @ApiOperation that leads to untidy nasty ugly sinful code :-)
这篇关于在 Springfox 和 Spring MVC 中配置安全模式和上下文的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!