0

I'am using swagger version 2.2.2. If I go to the address, http://localhost:8080/swagger-ui.html , I will directly get the swagger UI. Is there any way, a security layer can be added, like, user should be prompted to enter for user id and password before the swagger UI display?

Virat
  • 551
  • 4
  • 9
  • 23
  • You could use Spring basic security but this will only ask for credentials after sending a HTTP call so your Swagger will still be visible for everyone, You could map the swagger URI as well but this'll give you a hard time because swagger needs some other files to render as well. A second option is to install Apache which will trigger the moment someone is trying to access you Swagger [Apache Auth on specific URL](https://stackoverflow.com/questions/14603568/password-protect-a-specific-url). I've never done option 2 myself therefor I'm not posting this as a Answer – Glenn Van Schil Apr 14 '17 at 08:10
  • you want to security the url for productive enviroment,as I right?you could set up basic http Authentication if you work with nginx. https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-centos-7 – Seamas Apr 14 '17 at 08:35
  • Have you looked at how jhipster is doing it? It should give you an idea. – Dilip Krishnan Apr 15 '17 at 01:02

1 Answers1

0

It is possible, I did it with this security configuration (assuming you are using spring):

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable();
        final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        final PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
        manager.createUser(User.withUsername("user").password(encoder.encode("password")).roles("ACTUATOR", "ADMIN").build());
        http.authorizeRequests().antMatchers("/swagger-ui**", "/v2/api-docs/**").hasRole("ACTUATOR").and().httpBasic()
                .and().userDetailsService(manager);
    }

}
Paul Wellner Bou
  • 532
  • 5
  • 16