Using Authorization annotation in JAVA

[kfirisrael]

Hi,

We've defined a yaml file with Swagger version 2.0 with the following security definitions:

securityDefinitions:
  UserNameSecurity:
    type: apiKey
    in: header
    name: X-API-USERNAME
  PasswordSecurity:
    type: apiKey
    in: header
    name: X-API-PASSWORD
  TenantSecurity:
    type: apiKey
    in: header
    name: X-API-TENANT
    
security:
- UserNameSecurity: []
- PasswordSecurity: []
- TenantSecurity: []

After compiling it using Swagger JAVA compiler version 2.2.3 we see the security labels as annotations in all the operation, but we can't access the values entered for them in the request header.
@io.swagger.annotations.Authorization(value = "PasswordSecurity"),
@io.swagger.annotations.Authorization(value = "TenantSecurity"),
@io.swagger.annotations.Authorization(value = "UserNameSecurity")

Do you know how can the apiKey values, supplied in the header, can be accessed in the generated code?

Thanks,
Kfir

[mrbq]

Hi,

I have the same problem. I want to have an API first design and I want to get the security definition (path and roles) from the swagger specification so I can use it in my spring security configuration.

If I can do this, it means that the secured services and the roles that can access them should be defined in swagger and not in the application.

Thanks,
marcos

[mrbq]

Hi,

I decided to write a class that get the beans that implement and interface annotated with @Api:

applicationContext.getBeansWithAnnotation(Api.class);

After that I process the interface annotations to get the authorization scope if present. For each method in the interface is possible to get the authorization scopes and included them in a list:

    List<String> result = new ArrayList<>();

    for (Authorization authorization: method.getAnnotation(ApiOperation.class).authorizations())    {

        if (authorization.scopes() != null && authorization.scopes().length > 0) {
            Arrays.stream(authorization.scopes())
                    .filter(scope -> scope != null && scope.scope() != null && !scope.scope().trim().isEmpty())
                    .forEach(scope -> result.add(scope.scope()));
        }
    }

So for each method in the interface is possible to obtain the authorization scopes and also the request mapping and the request method (both present in the @RequestMapping annotation).

Finally, I put all that information (http method, request mapping and scopes) in a spring bean and then I configure spring security using mvc matchers. Doing this you can configure your application's authorization in the OpenApi specification and nowhere else.

Thanks,
marcos

[orubel]

In the words of Darrel Miller, the lead on OpenAPI, let me send you this link: https://www.flickr.com/photos/orubel/50695726007/in/dateposted-public/

[MikeRalphson]

@orubel What makes you think Darrel is "the lead" on OpenAPI?

[orubel]

@MikeRalphson It's posted on one of your lists. I also believe he has stated it himself in either his twitter profile or on LinkedIn in the past. If I am wrong, please correct me with his official title (though this is irrelevant to the topic).

[orubel]

@kfirisrael One of the issues you will run into is that OpenApi doesn't allow for an association of ROLE with endpoint; this causes endpoints to show same request data/response data regardless of ROLE. In other words, if you were to build a Swagger doc from this, an ADMIN role and a USER role would see the EXACT SAME ENDPOINTS and request them the EXACT SAME WAY!!!

There is no way to extend this because the association has to be directly tied to the endpoint (not be in a separate extension where the association is lost)

[handrews]

Solution given in 2018, closing.