I am using the apiDiscovery-1.0 feature in Liberty in order to expose the Swagger UI for my REST APIs. However, my REST APIs are secured using Basic Auth and the Authorize button is not being displayed in the UI exposed by the apiDiscovery feature in Liberty. Is this supported with the apiDiscovery feature?
The version of Liberty that I am using is as follows:
product = WebSphere Application Server 17.0.0.2 (wlp-1.0.17.cl170220170523-1818)
If you are using annotations (JAXRS + Swagger v2), please note that you can only reference security definitions from within your annotated code - to actually declare them you will have to use a Swagger v2 stub document (inside META-INF/stub).
Check this sample.
In there we declare the security definition in the stub and then reference it from the annotation.
This is due to a limitation in the Swagger v2 annotation library that doesn't allow for security declarations from within annotations. This is something we're working to fix for OpenAPI v3.
Related
I have a spring boot REST service which is protected with Azure AD, so I'm using the Spring Boot Starter for Azure AD.
I'm also using the springdoc-openapi library to generate the API documentation. For now I'm hand writing the yaml file to describe the documentation.
I'm looking for help with getting swagger to authenticate with Azure AD so that I can try out the endpoints in the backend.
Is there someway to do this by either editing the yaml file or with the springdoc-openapi library?
For getting swagger to authenticate with Azure AD you need to create registered two web application one is for webAPI and another is for your swagger.Then you shoukd require Delegated Permissions for your Swagger Web Site to ‘Access’ your WebAPI.As swagger is in-built configured in the .Net 5.0 template so that we don't need to take care of documenting our APIs in this latest .Net 5.0.
You can refer this Document here they have given in steps how to authenticate swagger with azuread.
You can also refer this document for how Setup Swagger to authenticate against Azure Active Directory is provided by devloper community of .net
I am developing a client application for client_credentials grant type flow in OAUTH2.
I am not able to decide on which dependency to use in my project for this purpose among the following.
spring-boot-starter-oauth2-client
spring-cloud-starter-oauth2
spring-security-oauth2
I referred this documentation from spring-projects in which under client-support section it had a table describing the available options. But I am not able to understand which column is referring to which of the above dependencies.
I want to configure a WebClient or RestTemplate which retrieves the OAUTH2 token from the auth-server automatically before accessing a resource-server.
Please guide me in choosing the right artifact for my project.
If you are using Spring Boot you should choose org.springframework.boot:spring-boot-starter-oauth2-client.
This includes Spring Security's OAuth 2.0 Client support and provides Spring Boot auto-configuration to set up OAuth2/Open ID Connect clients.
You can read about how to configure client in the Spring Boot reference documentation.
You can also find additional details in the Spring Security reference documentation.
If you are not using Spring Boot then you should choose org.springframework.security:spring-security-oauth2-client. This also provides Spring Security's latest OAuth 2.0 Client support, but does not include the Spring Boot auto-configuration.
The corresponding documentation is also the Spring Security reference documentation.
The third dependency you mentioned org.springframework.security.oauth:spring-security-oauth2 should not be used because it is part of the legacy Spring Security OAuth project, which is now deprecated.
The functionality that this library provided has now been moved into Spring Security.
That is what the Migration Guide describes, the migration from the legacy project to the latest Spring Security support.
You should not use the org.springframework.cloud:spring-cloud-starter-oauth2 at this time, because it relies on the legacy OAuth support.
This is likely to change in the future, as the Spring Cloud team updates to the latest Spring Security support.
I have been using swagger for a while with spring boot applications. It is very easy with spring since i only have to specify the package info.
But recently i was going through a few documents on how to integrate swagger with JAX-RS, i found it requires more involvement from developer by specifying api information's on a JSON.
Do we have any other solution?
I got a Spring boot REST based proxy server application with standard REST End point exposed(GET, POST,PUT and DELETE) to outside world.
Any requests coming from external world then will be routed to actual functionality internally.
Now the requirement is to expose all the API supported by my REST proxy server. As I mentioned I do not have static controller path in my code for individual APIs. So would like to get your input how to create swagger support for all the internal APIs that my proxy server support. Is there are a way I can generate swagger schema manually to mimics the controller path? Or is there any other way to solve this problem?
Thanks in advance.
I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either #EnableGlobalMethodSecurity or #EnableWebSecurity. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?
EnableWebSecurity will provide configuration via HttpSecurity. It's the configuration you could find with <http></http> tag in xml configuration, it allows you to configure your access based on urls patterns, the authentication endpoints, handlers etc...
EnableGlobalMethodSecurity provides AOP security on methods. Some of the annotations that it provides are PreAuthorize, PostAuthorize. It also has support for JSR-250. There are more parameters in the configuration for you
For your needs, it's better to mix the two. With REST you can achieve everything you need only by using #EnableWebSecurity since HttpSecurity#antMatchers(HttpMethod,String...) accepts control over Http methods