5

I added this dependency to my Spring Boot application

 <dependency>
      <groupId>org.springdoc</groupId>
      <artifactId>springdoc-openapi-ui</artifactId>
      <version>1.4.3</version>
      <type>pom.sha512</type>
     </dependency>

I then was able to open : https://localhost:8443/v3/api-docs

The browser does ask me for my credentials, and as long as I enter the user/password right it works, but it shows me ALL the methods that are available globally. I would like only the methods the user has rights to, to show up in the api docs.

For a specific method is use this tag to authorize my call: @PreAuthorize("hasRole('USER') OR hasRole('ADMIN')")

This is my web security config class:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.inMemoryAuthentication()
                .passwordEncoder(new BCryptPasswordEncoder())
                .withUser("user").password(new BCryptPasswordEncoder().encode("blabl")).roles("USER")
                .and()
                .withUser("admin").password(new BCryptPasswordEncoder().encode("blabla")).roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic();
    }
}
Helen
  • 87,344
  • 17
  • 243
  • 314
trilogy
  • 1,738
  • 15
  • 31
  • 1
    In theory is feasible by modifying the Paths object, but did not find how: https://swagger.io/specification/#security-filtering – Victor Aug 07 '20 at 06:59

2 Answers2

2

I doubt whether this is possible as the API documentation is generated at startup time (I think).

What you can do instead is to add documentation specifying which security credentials are needed for which API calls, I found a mention of this at https://github.com/springdoc/springdoc-openapi#adding-api-information-and-security-documentation

So if a user is able to see the API page, then it might also see the endpoints it does not have access to (such as /admin), but you could add documentation to it that the endpoint can only be accessed by admins.

Davio
  • 4,609
  • 2
  • 31
  • 58
1

Based on the description you have provided, I would recommend the following.

  1. Add Role specific security on endpoints:

e.g.:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
      .authorizeRequests()
        .antMatchers("/rest/admin/**").hasAnyRole("ADMIN").and()
      .httpBasic()
        .and()
    .csrf().disable();   
}
  1. Add the 'ROLE_' to your @PreAuthorize

e.g.:

@PreAuthorize("hasRole('ROLE_USER')")

or

@PreAuthorize("hasRole('ROLE_ADMIN')")

It should then work as expected.

Additionally, if it still doesn't work as expected, I would suggest to create two separate GroupedOpenApi per role and to segregate the apis by path identifier for the super role (i.e. ADMIN in your case) and create respective security configurations on respective antMatchers (e.g.: .antMatchers("/rest/admin/**").hasAnyRole("ADMIN")). This should work then work as you are configuring the security on paths per role as well as configuring separate GroupedOpenApi for documentation.

P.S.: I would first try the 1st approach and only use the 2nd as fallback.

Dishant Kamble
  • 239
  • 2
  • 4
  • 11