56

I have swagger plugged in to my spring boot application. Spring boot allows you to have property files for each environment that you have. Is there a way to disable swagger for a production environment?

luboskrnac
  • 23,973
  • 10
  • 81
  • 92
user301693
  • 2,377
  • 7
  • 22
  • 24

9 Answers9

32

Put your swagger configuration into separate configuration class and annotate it with @Profile annotation -> so that it will be scanned into Spring context only in certain profiles.

Example:

@Configuration
@EnableSwagger2
@Profile("dev")
public class SwaggerConfig {
    // your swagger configuration
}

You can than define profile your Spring Boot app is operating in via command line: --spring.profiles.active=dev or via config file: spring.profiles.active=dev.

Read this section of Spring Boot docs for more info about @Profile

luboskrnac
  • 23,973
  • 10
  • 81
  • 92
  • 13
    we've done this and it appears that the extension -> swagger-ui.html still appears even though the guts of the api's aren't showing. Is there a way to make it so the swagger-ui.html doesn't even get produced? – user301693 Jun 13 '16 at 19:24
  • 2
    @user301693 If you're using Maven you can load the swagger dependencies within a specific Maven profile, that should do the trick I guess. – g00glen00b Jun 13 '16 at 21:11
  • 3
    @g00glen00b, and have different artifacts for PROD than for other environments? I guess QA and OPS guys wouldn't be very happy with that. – luboskrnac Jun 14 '16 at 06:10
  • /swagger-ui.html still available but there is no methods. Is there way to forbid URL ? – gstackoverflow Sep 28 '17 at 09:04
  • do not work, the HTML page is display (not with REST API but display anyway) – Stéphane GRILLON Oct 12 '17 at 15:21
  • Correct, this approach turns off only back-end. Please refer to SO question provided by @gstackoverflow – luboskrnac Oct 13 '17 at 09:08
  • 5
    I know it's an old question, but we use @Profile("!prod") to avoid specifying tons of other profiles explicitly. Hope it helps somebody. – Oleg May 10 '19 at 10:11
  • not working with swagger 3 – Daniel Hári Oct 26 '21 at 10:16
28

If you are working on multiple environments then you can also use @Profile as array

@Configuration
@EnableSwagger2
@Profile({"dev","qa"})
public class SwaggerConfig {
   // your swagger configuration
}
Pervez
  • 525
  • 6
  • 16
10

with swagger 3.0.0 version you can add springfox.documentation.enabled=false in corresponding environment profile application.properties file. For example, I have added this to application-prod.properties to disable in production (while running the app you must specify the profile using VM args like -Dspring.profiles.active=prod)

Vamsi Krishna DS
  • 615
  • 6
  • 17
5

This is my configuration class:

@Configuration
@Profile("swagger")
@EnableSwagger2
public class SwaggerConfig {

    @Value("${info.build.version}")
    private String buildVersion;

    @Bean
    public Docket documentation() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.any())
                .paths(regex("/rest/.*"))
                .build()
                .pathMapping("/")
                .apiInfo(metadata());
    }

    private ApiInfo metadata() {
        return new ApiInfoBuilder()
                .title("API documentation of our App")
                .description("Use this documentation as a reference how to interact with app's API")
                .version(buildVersion)
                .contact(new Contact("Dev-Team", "https://dev-website", "dev@mailbox"))
                .build();
    }
}

Wherever I need Swagger, I add the profile swagger to the environment variable SPRING_PROFILES_ACTIVE

user3105453
  • 1,881
  • 5
  • 32
  • 55
  • 2
    This essentially duplicates [the other, much older answer](https://stackoverflow.com/a/37796782/1240557) (i.e. "use profile") – kryger Sep 26 '17 at 14:41
  • 2
    /swagger-ui.html still available but there is no methods. Is there way to forbid URL ? – gstackoverflow Sep 28 '17 at 09:04
  • 1
    I think this is more neater way of enabling swagger on demand, instead of disabling for some profiles. – vijay Jan 03 '19 at 19:29
2

An old question, but if you are using SpringDoc v1.2.12+:

springdoc.swagger-ui.enabled=false
springdoc.api-docs.enabled=false

From: https://github.com/springdoc/springdoc-openapi/issues/191#issuecomment-558809236

spekdrum
  • 1,559
  • 2
  • 11
  • 15
1

In addition to the answers configuring Spring using a profile, consider having rules on your reverse HTTP proxy to block access to the Swagger end points from outside the LAN. That would give you some defence in depth against attacks on the Swagger end points.

Raedwald
  • 46,613
  • 43
  • 151
  • 237
0

For those that use code gen (which generates Swagger2SpringBoot):

  1. Write your own Swagger2SpringBoot (with the @Profile bit) and locate it in the same package path as the autogenerated one.
  2. Edit swagger-codegen-maven-plugin to place generated into src/main/java (which will overwrite your own one in point 1.
  3. Edit .swagger-codegen-ignore to not overwrite your Swagger2SpringBoot
  4. Note other stuff will also be overwritten eg. pom.xml and application.properties. Just add them to .swagger-codegen-ignore too.

Done.

Jacques Koorts
  • 1,819
  • 1
  • 17
  • 10
0

  1. have configuration for env

    @Configuration

    @EnableSwagger2

    @Profile("devone")

  2. application.yaml

    profiles: 

active:

 ${MY_ENV:devone}

MY_ENV you will read from file, like .env

.env file content: MY_ENV=prod

In the production keep other .env file only for production credentials.

Armen Arzumanyan
  • 1,939
  • 3
  • 30
  • 56
-1

spring.profiles.active=production with @Profile("!production") worked for me to turn off swagger in prod.

Ex :-

@Profile("!production")
@Component
@EnableSwagger2
public class SwaggerConfig {
       //TODO
}
Sidhajyoti
  • 59
  • 4