Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

disable global security for particular operation

See original GitHub issue

I am using swagger.core.v3 in version 2.0.2 to generate openAPI 3.0 definition files and I am having trouble to disable “security” for a particular endpoint. I have global securitySchemes and root security element defined:

 Info info = new Info()
            .title("someTitle")
            .description("some description")
            .version("1.0")

    SecurityScheme jwtSecurity = new SecurityScheme()
            .type(SecurityScheme.Type.HTTP)
            .name("Authorization")
            .in(SecurityScheme.In.HEADER)
            .scheme("bearer")
            .bearerFormat("JWT");

    String securitySchemaName = "JWT";
    OpenAPI oas = new OpenAPI()
            .info(info)
            .components(new Components().addSecuritySchemes(securitySchemaName, jwtSecurity))
            .addSecurityItem(new SecurityRequirement().addList(securitySchemaName));

    SwaggerConfiguration oasConfig = new SwaggerConfiguration()
            .openAPI(oas)
            .prettyPrint(true)
            .resourcePackages(Stream.of("my.resources.package")
                    .collect(Collectors.toSet()));
    environment.jersey().register(new OpenApiResource()
            .openApiConfiguration(oasConfig));

And definition file is nicely generated:

{
  "openapi" : "3.0.1",
  "security" : [ {
    "JWT" : [ ]
  } ],
  "paths" : {   
    ...
  },
  "components" : {
    "schemas" : {
     ...
    },
    "securitySchemes" : {
      "JWT" : {
        "type" : "http",
        "scheme" : "bearer",
        "bearerFormat" : "JWT"
      }
    }
  }
}

According to OPEN API 3 spec https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#securityRequirementObject i shall be able to override global “security requirement” for an individual operation. I would like to “disable” JWT security for a few operations and according to https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject it can be done by

To remove a top-level security declaration, an empty array can be used.

I simply wanna specify “NO Security” for a particular opetration:

    @POST
@Operation(
        summary = "authenticate user",
        responses = {
                @ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
                        content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),                   
                @ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
        }
        ,security = what to put here ?
)

I tried security = {} or security = @SecurityRequirement(name ="") but in both cases no security element within operation is generated at all…

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:6
  • Comments:6 (1 by maintainers)

github_iconTop GitHub Comments

7reactions
sbarfurthcommented, Dec 3, 2020

I found that simply adding io.swagger.v3.oas.annotations.security.SecurityRequirements as an annotation will do what you want.

@RestController
class Controller {

    @SecurityRequirements // This is it
    @GetMapping("/api/v1/endpoint")
    public String endpoint() {
        return "no security required!";
    }

}

At least for me this disabled all security requirements for the method.

1reaction
maforcommented, Dec 20, 2019

Interestingly, it works on the SwaggerHub: security-override-test

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to disable WebSphere Global Security for one ... - IBM
Go to "Application Servers" · Select the appropriate server · Select "Server security" · Select "Server level security" · Uncheck the "Enable global...
Read more >
Swagger: disabling security on one particular path
Sure. Simply add the "security" property to operation with an empty array [] as a value. So something like
Read more >
Disabling WebSphere Application Server global security
Procedure · Expand Security and click Global security. · Clear the Enable administrative security check box. · Click Apply. · Click Save to...
Read more >
Disabling WebSphere Application Server ... - setgetweb.com
To turn off WebSphere Application Server Global Security and disable IBM ® WebSphere ® Portal Express security, run the disable-security task. To enable ......
Read more >
Authentication and Authorization - Swagger
After you have defined the security schemes in the securitySchemes section, you can apply them to the whole API or individual operations by...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

JSON wrapper object not mapped to proper OpenAPI model

Next page

Serialisation of OpenAPI is not stable