java - swagger core 2.0 禁用端点的安全性
问题描述
我正在使用 Swagger Core 2.0 生成 openAPI 3.0 定义文件,
但我无法为特定端点禁用“安全性”。我定义了我的 securitySchemes 和根安全元素:
{
"openapi" : "3.0.1",
"security" : [ {
"JWT" : [ ]
} ],
"paths" : {
"/auth" : {
"post" : {
"summary" : "authenticate user",
"operationId" : "authenticate",
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/AuthenticationRequest"
}
}
}
},
"responses" : {
"200" : {
"description" : "when user is successfully authenticated",
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/AuthenticateUserOutput"
}
}
}
},
"401" : {
"description" : "when email/password not valid or user is blocked/inactive"
}
}
}
},
},
"components" : {
"schemas" : {
"AuthenticateUserOutput" : {
"type" : "object",
"properties" : {
"token" : {
"type" : "string"
},
"lastLoginAt" : {
"type" : "string",
"format" : "date-time"
},
"lastProjectId" : {
"type" : "string"
}
}
},
...,
"AuthenticationRequest" : {
"required" : [ "email", "password" ],
"type" : "object",
"properties" : {
"email" : {
"type" : "string"
},
"password" : {
"type" : "string"
}
}
}
},
"securitySchemes" : {
"JWT" : {
"type" : "http",
"scheme" : "bearer",
"bearerFormat" : "JWT"
}
}
}
}
根据 OPEN API 3 规范 https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#securityRequirementObject 我应该能够覆盖单个操作的全局“安全要求”。我想为一些操作“禁用” JWT 安全性,并根据 https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject 可以做到:
要删除顶级安全声明,可以使用空数组。
不幸的是,我正在努力使用注释在操作级别上定义“空安全数组”......我试图指定
security = {}
或者
security = @SecurityRequirement(name ="")
但操作中根本没有生成安全元素....有什么想法吗?
下面是我的 java 代码(我用于 swagger dropwizard 集成),它允许定义 SecurityScheme 和根级安全性
Info info = new Info()
.title("someTitle")
.description("some description")
.version("1.0")
SecurityScheme jwtSecurity = new SecurityScheme()
.type(SecurityScheme.Type.HTTP)
.name("Authorization")
.in(SecurityScheme.In.HEADER)
.scheme("bearer")
.bearerFormat("JWT");
String securitySchemaName = "JWT";
OpenAPI oas = new OpenAPI()
.info(info)
.components(new Components().addSecuritySchemes(securitySchemaName, jwtSecurity))
.addSecurityItem(new SecurityRequirement().addList(securitySchemaName));
SwaggerConfiguration oasConfig = new SwaggerConfiguration()
.openAPI(oas)
.prettyPrint(true)
.resourcePackages(Stream.of("my.resources.package")
.collect(Collectors.toSet()));
environment.jersey().register(new OpenApiResource()
.openApiConfiguration(oasConfig));
然后在一些专用端点上,我想禁用安全性,所以我正在尝试:
@POST
@Operation(
summary = "authenticate user",
responses = {
@ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),
@ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
}
,security = what to put here ?
)
解决方案
我在 Java SpringBoot webapp 上遇到了同样的问题(依赖 org.springdoc:springdoc-openapi-ui:1.5.2)。根据这个答案,我解决了它在操作上添加了一个空@SecurityRequirements注释。例如:
@POST
@SecurityRequirements
@Operation(
summary = "authenticate user",
responses = {
@ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),
@ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
} )
)
推荐阅读
- r - 适用于“日期”类对象的 recode() 替代函数
- django - Django 表单的输入字段仅在提交无效表单后显示
- qml - 如何动态更改从 QML 中的 TreeView 中选择的每个项目的视图
- vba - VBA中的行输入文件不前进
- angular - 角度测试:模拟未按预期运行
- javascript - 用JS按顺序显示/隐藏多张图片
- javascript - 在子域 iframe 中更改窗口位置 href
- javascript - 如何在反应中使用地图来创建多个组件?
- node-red - Node-RED:如何在编辑器中迭代所有节点
- kibana - Kibana 度量可视化 - 控制边距/空白