disable global security for particular operation
See original GitHub issueI am using swagger.core.v3 in version 2.0.2 to generate openAPI 3.0 definition files and I am having trouble to disable “security” for a particular endpoint. I have global securitySchemes and root security element defined:
Info info = new Info()
.title("someTitle")
.description("some description")
.version("1.0")
SecurityScheme jwtSecurity = new SecurityScheme()
.type(SecurityScheme.Type.HTTP)
.name("Authorization")
.in(SecurityScheme.In.HEADER)
.scheme("bearer")
.bearerFormat("JWT");
String securitySchemaName = "JWT";
OpenAPI oas = new OpenAPI()
.info(info)
.components(new Components().addSecuritySchemes(securitySchemaName, jwtSecurity))
.addSecurityItem(new SecurityRequirement().addList(securitySchemaName));
SwaggerConfiguration oasConfig = new SwaggerConfiguration()
.openAPI(oas)
.prettyPrint(true)
.resourcePackages(Stream.of("my.resources.package")
.collect(Collectors.toSet()));
environment.jersey().register(new OpenApiResource()
.openApiConfiguration(oasConfig));
And definition file is nicely generated:
{
"openapi" : "3.0.1",
"security" : [ {
"JWT" : [ ]
} ],
"paths" : {
...
},
"components" : {
"schemas" : {
...
},
"securitySchemes" : {
"JWT" : {
"type" : "http",
"scheme" : "bearer",
"bearerFormat" : "JWT"
}
}
}
}
According to OPEN API 3 spec https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#securityRequirementObject i shall be able to override global “security requirement” for an individual operation. I would like to “disable” JWT security for a few operations and according to https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject it can be done by
To remove a top-level security declaration, an empty array can be used.
I simply wanna specify “NO Security” for a particular opetration:
@POST
@Operation(
summary = "authenticate user",
responses = {
@ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),
@ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
}
,security = what to put here ?
)
I tried
security = {}
or
security = @SecurityRequirement(name ="")
but in both cases no security element within operation is generated at all…
Issue Analytics
- State:
- Created 5 years ago
- Reactions:6
- Comments:6 (1 by maintainers)
Top GitHub Comments
I found that simply adding
io.swagger.v3.oas.annotations.security.SecurityRequirements
as an annotation will do what you want.At least for me this disabled all security requirements for the method.
Interestingly, it works on the SwaggerHub: security-override-test