2

I am using Swagger Core 2.0 to generate openAPI 3.0 definition files and
I am having trouble to disable "security" for a particular endpoint. I have my securitySchemes and root security element defined:

{
  "openapi" : "3.0.1",
  "security" : [ {
    "JWT" : [ ]
  } ],
  "paths" : {   
    "/auth" : {
      "post" : {
        "summary" : "authenticate user",
        "operationId" : "authenticate",
        "requestBody" : {
          "content" : {
            "application/json" : {
              "schema" : {
                "$ref" : "#/components/schemas/AuthenticationRequest"
              }
            }
          }
        },
        "responses" : {
          "200" : {
            "description" : "when user is successfully authenticated",
            "content" : {
              "application/json" : {
                "schema" : {
                  "$ref" : "#/components/schemas/AuthenticateUserOutput"
                }
              }
            }
          },       
          "401" : {
            "description" : "when email/password not valid or user is blocked/inactive"
          }       
        }
      }
    },
  },
  "components" : {
    "schemas" : {
      "AuthenticateUserOutput" : {
        "type" : "object",
        "properties" : {
          "token" : {
            "type" : "string"
          },
          "lastLoginAt" : {
            "type" : "string",
            "format" : "date-time"
          },        
          "lastProjectId" : {
            "type" : "string"
          }
        }
      },
      ...,
      "AuthenticationRequest" : {
        "required" : [ "email", "password" ],
        "type" : "object",
        "properties" : {
          "email" : {
            "type" : "string"
          },
          "password" : {
            "type" : "string"
          }
        }
      }
    },
    "securitySchemes" : {
      "JWT" : {
        "type" : "http",
        "scheme" : "bearer",
        "bearerFormat" : "JWT"
      }
    }
  }
}

According to OPEN API 3 spec https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md#securityRequirementObject i shall be able to override global "security requirement" for an individual operation. I would like to "disable" JWT security for a few operations and according to https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject it can be done:

To remove a top-level security declaration, an empty array can be used.

Unfortunately I am struggling to define "empty security array" on Operation level using annotations... I tried to specify 

security = {}

or 

security = @SecurityRequirement(name ="")

but no security element within operation is generated at all.... Any idea ?

Below is my java code (i use for swagger dropwizard integration) that allows one to have SecurityScheme and root level security defined

 Info info = new Info()
            .title("someTitle")
            .description("some description")
            .version("1.0")

    SecurityScheme jwtSecurity = new SecurityScheme()
            .type(SecurityScheme.Type.HTTP)
            .name("Authorization")
            .in(SecurityScheme.In.HEADER)
            .scheme("bearer")
            .bearerFormat("JWT");

    String securitySchemaName = "JWT";
    OpenAPI oas = new OpenAPI()
            .info(info)
            .components(new Components().addSecuritySchemes(securitySchemaName, jwtSecurity))
            .addSecurityItem(new SecurityRequirement().addList(securitySchemaName));

    SwaggerConfiguration oasConfig = new SwaggerConfiguration()
            .openAPI(oas)
            .prettyPrint(true)
            .resourcePackages(Stream.of("my.resources.package")
                    .collect(Collectors.toSet()));
    environment.jersey().register(new OpenApiResource()
            .openApiConfiguration(oasConfig));

Then on a few dedicated endpoints i would like to disable security, so i am trying with:

    @POST
@Operation(
        summary = "authenticate user",
        responses = {
                @ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
                        content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),                   
                @ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
        }
        ,security = what to put here ?
)
Helen
  • 87,344
  • 17
  • 243
  • 314
user62058
  • 1,417
  • 2
  • 13
  • 22

3 Answers3

3

if you want to do it in yml swagger hub style you can put

security: []

in that endpoint after request body, So swagger considers it as no auth for that particular path or endpoint.

Sai Chaitanya Aluru
  • 31
  • 2
  • Nice, this is the correct way of disabling authentication in a single endpoint when you have an OpenAPI specs document that declares a security configuration globally. – José L. Patiño Mar 22 '22 at 11:57
-1

According to a comment over on the OpenAPI-Specifiction GitHub project. It should be possible.

Did you try this?

security: [
  {}
]
dansomething
  • 693
  • 8
  • 7
-1

I had the same problem, on a Java SpringBoot webapp (dependency org.springdoc:springdoc-openapi-ui:1.5.2). As per this answer, I solved it adding an empty @SecurityRequirements annotation on the operation. For example:

@POST
@SecurityRequirements
@Operation(
    summary = "authenticate user",
    responses = {
    @ApiResponse(responseCode = "200", description = "when user is successfully authenticated",
                 content = @Content(schema = @Schema(implementation = AuthenticateUserOutput.class))),                   
        @ApiResponse(responseCode = "401", description = "when email/password not valid or user is blocked/inactive"),
    } )
)
namgold
  • 1,009
  • 1
  • 11
  • 32
Sergio
  • 1
  • 1