Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for @PreAuthorize spring-security annotation

See original GitHub issue

Hello,

I’m using Springfox 2.6.1 in JHipster apps and this is a feature request.

It would be nice if Springfox could support spring-security annotations, especially @PreAuthorize . It could be:

Exposing in the swagger UI the requirements to access a resource or its methods
Expose in the swagger spec only the resources and methods allowed for current user

Thanks

Issue Analytics

State:
Created 7 years ago
Reactions:31
Comments:15 (2 by maintainers)

Top GitHub Comments

16reactions

chriswhite199commented, Oct 10, 2019

Adapting the antMatcher link posted by @wojciech-soltys, the following works for my purposes (but by NO MEANS is exhaustive for all spring security annotations)

/**
 * Parse out Spring Security {@link PreAuthorize} annotations and add in operation notes section to convey constraints
 */
@Component
@Order(SwaggerPluginSupport.SWAGGER_PLUGIN_ORDER)
public class OperationNotesResourcesReader implements OperationBuilderPlugin {
    @Override
    public void apply(final OperationContext context) {
        // Look for @PreAuthorize on method, otherwise look on controller
        Optional.ofNullable(context.findAnnotation(PreAuthorize.class)
            .or(context.findControllerAnnotation(PreAuthorize.class))
            .orNull())
            .ifPresent(preAuth -> context.operationBuilder()
                .notes("**Security @PreAuthorize expression:** `" + preAuth.value() + "`"));
    }

    @Override
    public boolean supports(final DocumentationType delimiter) {
        return SwaggerPluginSupport.pluginDoesApply(delimiter);
    }
}

Screen Shot 2019-10-10 at 2 31 51 PM

14reactions

gmarzioucommented, Feb 7, 2017

Yes that’s correct, it seems to me that currently the securityContexts and securitySchemes mainly deal with authentication and I would like to be able to document also authorizations.

The other point is that the swagger spec generated dynamically does not take into account the authorizations of the current user and so is exposing the complete API even though the current user is not authorized to use it. To me that’s a reason why some people are reluctant to enable swagger in production.

So maybe this should be split in 2 requests.

Top Results From Across the Web

Spring Method Security with PreAuthorize - Okta Developer

This tutorial will explore two ways to configure authentication and authorization in Spring Boot using Spring Security.

Introduction to Spring Method Security - Baeldung

The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the ...

Spring Security @PreAuthorize Annotation Example

In this Spring Security tutorial, you will learn how to use the @PreAuthorize annotation to secure method invocation.

Spring Method Security with @PreAuthorize and @Secured

In this Spring security tutorial, learn to apply method security using annotations such as @PreAuthorize and @Secured .

Method Security - Spring

Spring Security's native annotation support defines a set of attributes for the method. These are passed to the AccessDecisionManager for it to make...