CODEWITHSUNDEEP
javaspring-bootjwtswagger
artemk
artemk

Reputation: 131

Configure swagger with JWT

I want install SWAGER for my SpringBoot application. Seems that JWT doesn't give access for swagger URL.

I'm trying to reach this by url localhost:8088/swagger-ui.html

Here is SwaggerConfig class

@EnableSwagger2
@Configuration
public class SwaggerConfig {


@Bean
public Docket productApi() {
    return new Docket(DocumentationType.SWAGGER_2)
            .select()
            .apis(RequestHandlerSelectors.basePackage("Path.to.my.controller"))

            .build();

}


}

Also i was trying to add WebAppConfig from link with the next content

@Configuration
@EnableWebMvc
public class WebAppConfig extends WebMvcConfigurerAdapter {

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
    registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
}

}

And tried to set ignore url:

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
}

}

This version of code gives autoredirection to "localhost:8088/login" from swagger url. But the next returns just empty page

UPDATED

  web.ignoring().antMatchers("/", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**");

The urls in gaps are urls i was seen when was debuging issuse. This urls are called by swagger.

UPDATED part End

Main class

 @SpringBootApplication
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
    TimeZone.setDefault(TimeZone.getTimeZone("Etc/UTC"));
    SpringApplication app = new SpringApplication(Application.class);
    app.run();
}

@Bean
@Autowired
public FilterRegistrationBean jwtFilterRegistration(JwtUtil jwtUtil, UserService userService) {
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
    filterRegistrationBean.setFilter(new JwtFilter(jwtUtil, userService));

    filterRegistrationBean.addUrlPatterns("/*");

    // ordering in the filter chain
    filterRegistrationBean.setOrder(1);
    return filterRegistrationBean;
}

// Request Interceptor for checking permission with custom annotation.
@Bean
public MappedInterceptor PermissionHandlerInterceptor() {
    return new MappedInterceptor(null, new PermissionHandlerInterceptor());
}

}

Pom xml contains all needed depencies. When i comment in Main class jwt method i can access swagger. So i made a conclusion that problem in JWT. If some extra info is needed i will add.

UPDATED

At first swagger-url gives White Label Page with an error "Unathorized" After some manipulations with code it gives empty page.

Upvotes: 4

Views: 6729

Answers (1)

Irshaad Moosuddee
Irshaad Moosuddee

Reputation: 240

I recently had to do the same. You need to tell your Spring Security to permit all Swagger resources. Try this:

 @Override
 protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            // we don't need CSRF because our token is invulnerable
            .csrf().disable()


.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

            // don't create session

.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()          

            .authorizeRequests()

            // allow anonymous resource requests
            .antMatchers(
                    HttpMethod.GET,
                    "/",
                    "/v2/api-docs",           // swagger
                    "/webjars/**",            // swagger-ui webjars
                    "/swagger-resources/**",  // swagger-ui resources
                    "/configuration/**",      // swagger configuration
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js"
            ).permitAll()
            .antMatchers("/auth/**").permitAll()
            .anyRequest().authenticated();

    // Custom JWT based security filter
    httpSecurity
            .addFilterBefore(authenticationTokenFilter, 
UsernamePasswordAuthenticationFilter.class);

    // disable page caching
    httpSecurity.headers().cacheControl();
}

This is my Swagger docket configuration. It also include the Authorization Header in case you want to apply you token to all endpoint.

@Bean
public Docket newsApi() {
    return new Docket(DocumentationType.SWAGGER_2)
            .select()
            .apis(RequestHandlerSelectors.any())
            .paths(PathSelectors.any())
            .build()
            .securitySchemes(Lists.newArrayList(apiKey()))
            .securityContexts(Lists.newArrayList(securityContext()))
            .apiInfo(generateApiInfo());
}

@Bean
SecurityContext securityContext() {
    return SecurityContext.builder()
            .securityReferences(defaultAuth())
            .forPaths(PathSelectors.any())
            .build();
}

List<SecurityReference> defaultAuth() {
    AuthorizationScope authorizationScope
            = new AuthorizationScope("global", "accessEverything");
    AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
    authorizationScopes[0] = authorizationScope;
    return Lists.newArrayList(
            new SecurityReference("JWT", authorizationScopes));
}

private ApiKey apiKey() {
    return new ApiKey("JWT", "Authorization", "header");
}

Upvotes: 6

Related Questions