限制对 Swagger UI 的访问 [英] Restrict access to Swagger UI

查看：210 发布时间：2021/7/17 20:46:51 spring security spring-boot swagger-ui swagger-2.0

本文介绍了限制对 Swagger UI 的访问的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有使用 spring-boot 的 swagger UI.我的 spring rest api 有一个无状态身份验证设置，它根据每个 api 路径的角色进行限制.

I have swagger UI working with spring-boot. I have a stateless authentication setup for my spring rest api which is restricted based on roles for every api path.

但是，我不确定如何将 <server_url>/swagger-ui.html 置于基本身份验证之后.

However, I am not sure how can i put <server_url>/swagger-ui.html behind Basic authentication.

更新

我通过 WebSecurityConfig

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .antMatchers("/sysadmin/**").hasRole("SYSADMIN")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/siteadmin/**").hasRole("SITEADMIN")
            .antMatchers("/api/**").hasRole("USER")
            .anyRequest().permitAll();

    // Custom JWT based security filter
    httpSecurity
            .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

}

推荐答案

一个在不了解您的配置的情况下的建议来自这个 SO question.

One suggestion without knowing more about your configuration is from this SO question.

https://stackoverflow.com/a/24920752/1499549

这里是您更新的问题详细信息的示例，您可以添加内容:

With your updated question details here is an example of what you can add:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .antMatchers("/sysadmin/**").hasRole("SYSADMIN")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/siteadmin/**").hasRole("SITEADMIN")
            .antMatchers("/api/**").hasRole("USER")
            // add the specific swagger page to the security
            .antMatchers("/swagger-ui.html").hasRole("USER")
            .anyRequest().permitAll();

    // Custom JWT based security filter
    httpSecurity
            .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

}

问题在于它只保护 Swagger UI 页面，而不保护从该 UI 页面加载为 .json 文件的 API 规范.

The problem with this is it only protects the Swagger UI page and not the API specification which is loaded as a .json file from that UI page.

更好的方法是将 swagger 文件放在一个路径下，这样你就可以添加 antMatchers("/swagger/**").hasRole("USER")

A better approach is to put the swagger files under a path so that you can just add antMatchers("/swagger/**").hasRole("USER")

这篇关于限制对 Swagger UI 的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

限制对 Swagger UI 的访问 [英] Restrict access to Swagger UI

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

限制对 Swagger UI 的访问 [英] Restrict access to Swagger UI

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭