Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Authorization annotation in JAVA #1479

Closed
kfirisrael opened this issue Feb 6, 2018 · 7 comments
Closed

Using Authorization annotation in JAVA #1479

kfirisrael opened this issue Feb 6, 2018 · 7 comments
Assignees
@webron
Labels
review

Comments

@kfirisrael
Copy link

kfirisrael commented Feb 6, 2018
edited by MikeRalphson
Loading

Hi,

We've defined a yaml file with Swagger version 2.0 with the following security definitions:

securityDefinitions:
  UserNameSecurity:
    type: apiKey
    in: header
    name: X-API-USERNAME
  PasswordSecurity:
    type: apiKey
    in: header
    name: X-API-PASSWORD
  TenantSecurity:
    type: apiKey
    in: header
    name: X-API-TENANT
    
security:
- UserNameSecurity: []
- PasswordSecurity: []
- TenantSecurity: []

After compiling it using Swagger JAVA compiler version 2.2.3 we see the security labels as annotations in all the operation, but we can't access the values entered for them in the request header.
@io.swagger.annotations.Authorization(value = "PasswordSecurity"),
@io.swagger.annotations.Authorization(value = "TenantSecurity"),
@io.swagger.annotations.Authorization(value = "UserNameSecurity")

Do you know how can the apiKey values, supplied in the header, can be accessed in the generated code?

Thanks,
Kfir
@mrbq
Copy link

mrbq commented May 9, 2018

Hi,

I have the same problem. I want to have an API first design and I want to get the security definition (path and roles) from the swagger specification so I can use it in my spring security configuration.

If I can do this, it means that the secured services and the roles that can access them should be defined in swagger and not in the application.

Thanks,
marcos

@mrbq
Copy link

mrbq commented May 10, 2018
edited
Loading

Hi,

I decided to write a class that get the beans that implement and interface annotated with @Api:

applicationContext.getBeansWithAnnotation(Api.class);

After that I process the interface annotations to get the authorization scope if present. For each method in the interface is possible to get the authorization scopes and included them in a list:

    List<String> result = new ArrayList<>();

    for (Authorization authorization: method.getAnnotation(ApiOperation.class).authorizations())    {

        if (authorization.scopes() != null && authorization.scopes().length > 0) {
            Arrays.stream(authorization.scopes())
                    .filter(scope -> scope != null && scope.scope() != null && !scope.scope().trim().isEmpty())
                    .forEach(scope -> result.add(scope.scope()));
        }
    }

So for each method in the interface is possible to obtain the authorization scopes and also the request mapping and the request method (both present in the @RequestMapping annotation).

Finally, I put all that information (http method, request mapping and scopes) in a spring bean and then I configure spring security using mvc matchers. Doing this you can configure your application's authorization in the OpenApi specification and nowhere else.

Thanks,
marcos

@orubel

This comment has been minimized.

Sign in to view
@MikeRalphson

This comment has been minimized.

Sign in to view
@orubel

This comment has been minimized.

Sign in to view
@orubel

This comment has been minimized.

Sign in to view
This was referenced Sep 16, 2021
Open
Open
@handrews
Copy link
Member

Solution given in 2018, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@webron webron

Labels
review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MikeRalphson @webron @orubel @handrews @mrbq @kfirisrael