TechQA.

How to hide Spring Security OAuth2 endpoints from Swagger UI?

3.2k views Asked by At

I have an API application built with Spring Boot. I used swagger-springmvc v0.9.5 plugin along with Swagger UI to generate a live documentation and interaction front-end to the API methods.

I recently introduced Spring security and OAuth to the application. This introduced a few more sections appearing in the Swagger UI for:

  • authorization-endpoint which has a bunch of HTTP operations available under the /oauth/authorize path
  • check-token-endpoint which has a bunch of HTTP operations available under the /oauth/check_token path
  • whitelabel-approval-endpoint which has a bunch of HTTP operations available under the /oauth/confirm_access path
  • whitelabel-error-endpoint which has a bunch of HTTP operations available under the /oauth/error path

I can understand what they are for, but I do not want them to appear in my Swagger UI front-end. How do I hide them?

com.mangofactory.swagger.plugin.SwaggerSpringMvcPlugin's configuration does offer includePatterns() method but no way to exclude patterns. With includePatterns() every time some one adds a method to the API, will need to remember to add it there, which is not ideal. I don't have a common prefix for all API methods that I can use includePatterns() with either.

spring-mvc spring-security-oauth2 swagger-ui
Original Q&A
2

There are 2 answers

0
Harry On

I had the same issue. I resolved it by altering the Docket creation parameters. I was using 

@Bean
public Docket oAuthService() {
    return new Docket(DocumentationType.SWAGGER_2)
            .select()
            .apis(RequestHandlerSelectors.any())
            .paths(PathSelectors.any())
            .build()
            .pathMapping("/")
            .directModelSubstitute(LocalDate.class,
                    String.class)
            .genericModelSubstitutes(ResponseEntity.class)
            .alternateTypeRules(
                    newRule(typeResolver.resolve(DeferredResult.class,
                            typeResolver.resolve(ResponseEntity.class, WildcardType.class)),
                            typeResolver.resolve(WildcardType.class)))
            .useDefaultResponseMessages(false)
            .globalResponseMessage(RequestMethod.GET,
                    newArrayList(new ResponseMessageBuilder()
                            .code(500)
                            .message("500 message")
                            .responseModel(new ModelRef("Error"))
                            .build()))
            .securitySchemes(newArrayList(apiKey()))
            .securityContexts(newArrayList(securityContext()))
            .enableUrlTemplating(true)
            .tags(new Tag("Oauth Service", "Oauth Service"));
}

Which resulted in all the spring-oauth endpoints being part of my swagger spec. I changed the apis registered to use my basePackage instead of any(). Something like this:

.apis(RequestHandlerSelectors.basePackage("my.base.package.name"))
0
André Abreu On

All you need is to accept all paths excluding /oauth.*

.select()
.paths(input ->
    !PathSelectors.regex("/oauth.*").apply(input) &&
    PathSelectors.any().apply(input))
.build()

Related Questions in SPRING-MVC

Related Questions in SPRING-SECURITY-OAUTH2

Related Questions in SWAGGER-UI

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions