1

I have swagger UI working with spring-boot. I have a stateless authentication setup for my spring rest api which is restricted based on roles for every api path.

However, I am not sure how can i put <server_url>/swagger-ui.html behind Basic authentication.

UPDATE

I have following websecurity configured via WebSecurityConfig

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .antMatchers("/sysadmin/**").hasRole("SYSADMIN")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/siteadmin/**").hasRole("SITEADMIN")
            .antMatchers("/api/**").hasRole("USER")
            .anyRequest().permitAll();

    // Custom JWT based security filter
    httpSecurity
            .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

}
Alessio
  • 3,404
  • 19
  • 35
  • 48
Em Ae
  • 8,167
  • 27
  • 95
  • 162
  • Normally it is worthwhile including how you currently have your security defined so that people can offer solutions that work for your setup. There are a number of ways to do it but knowing more about your imlementation would help. – Shawn Clark Aug 24 '16 at 05:31
  • updated my question – Em Ae Aug 24 '16 at 15:25

2 Answers2

1

One suggestion without knowing more about your configuration is from this SO question.

https://stackoverflow.com/a/24920752/1499549

With your updated question details here is an example of what you can add:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .antMatchers("/sysadmin/**").hasRole("SYSADMIN")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/siteadmin/**").hasRole("SITEADMIN")
            .antMatchers("/api/**").hasRole("USER")
            // add the specific swagger page to the security
            .antMatchers("/swagger-ui.html").hasRole("USER")
            .anyRequest().permitAll();

    // Custom JWT based security filter
    httpSecurity
            .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

}

The problem with this is it only protects the Swagger UI page and not the API specification which is loaded as a .json file from that UI page.

A better approach is to put the swagger files under a path so that you can just add antMatchers("/swagger/**").hasRole("USER")

Community
  • 1
  • 1
Shawn Clark
  • 3,330
  • 2
  • 18
  • 30
0

A bit late to answer. I carried out a small POC to execute the same. I am using Keycloak and Spring Security. Below is my configuration

http
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/swagger-resources/**","/swagger-ui.html**","/swagger-ui/").hasRole("admin")
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                .accessDeniedHandler(new AccessDeniedHandlerImpl())
                .defaultAuthenticationEntryPointFor(authenticationEntryPoint(), new CustomRequestMatcher(AUTH_LIST))
                .and()
                .httpBasic()
                .authenticationEntryPoint(restAuthenticationEntryPoint)
                .and()
                .csrf().disable()
                .logout()
                    .logoutUrl("/logout")
                    .invalidateHttpSession(true)
                    .clearAuthentication(true)
                    .addLogoutHandler(keycloakLogoutHandler());

I have a working example here

chaitanya guruprasad
  • 641
  • 7
  • 18