Spring Boot, Swagger and Authorisation

I have a Spring Boot API that uses Springdoc (Swagger). The API has security with “apiKey” and “code” fields being passed in the header. I am having difficulty configuring Swagger correctly to enable the Authentication function in the Swagger UI. This is the configuration:

@Bean
public OpenAPI alartaCoreAdtAPI() {
    return new OpenAPI()
            .addSecurityItem(new SecurityRequirement().addList("BASIC"))
            .components(
               new Components()
                   .addSecuritySchemes("BASIC",
                       new SecurityScheme()
                           .type(SecurityScheme.Type.HTTP)
                           .scheme("basic")
                           .name("code")
                                            
                   )
            )               

              .info(new Info().title(config.getApiTitle())
              .description(config.getApiDescription())
              .version(config.getApiVersion())
              .license(new 
             License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl())))
);
  }

JavaScript
​x
 
@Beanpublic OpenAPI alartaCoreAdtAPI() {    return new OpenAPI()            .addSecurityItem(new SecurityRequirement().addList("BASIC"))            .components(               new Components()                   .addSecuritySchemes("BASIC",                       new SecurityScheme()                           .type(SecurityScheme.Type.HTTP)                           .scheme("basic")                           .name("code")                                                               )            )               ​              .info(new Info().title(config.getApiTitle())              .description(config.getApiDescription())              .version(config.getApiVersion())              .license(new              License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl()))));  } ​

I know this is incorrect, but are unsure how to configure it.

Any assistance appreciated.

Attempts at solution: from @indybee recommendation:

@Bean
    public OpenAPI alartaCoreAdtAPI() {
        return new OpenAPI()
                
                .addSecurityItem(new SecurityRequirement().addList("BASIC"))
                  
                .components( new Components()
                        .addSecuritySchemes("apiKey", securityScheme("apiKey"))
                        .addSecuritySchemes("code", securityScheme("code"))
                        )

                  .info(new Info().title(config.getApiTitle())
                  .description(config.getApiDescription())
                  .version(config.getApiVersion())
                  .license(new License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl())))
                  );
      } 
    
    private SecurityScheme securityScheme(String name) {
        return new io.swagger.v3.oas.models.security.SecurityScheme()
            .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)
            .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)
            .name(name);
    }

JavaScript
 
@Bean    public OpenAPI alartaCoreAdtAPI() {        return new OpenAPI()                                .addSecurityItem(new SecurityRequirement().addList("BASIC"))                                  .components( new Components()                        .addSecuritySchemes("apiKey", securityScheme("apiKey"))                        .addSecuritySchemes("code", securityScheme("code"))                        )​                  .info(new Info().title(config.getApiTitle())                  .description(config.getApiDescription())                  .version(config.getApiVersion())                  .license(new License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl())))                  );      }         private SecurityScheme securityScheme(String name) {        return new io.swagger.v3.oas.models.security.SecurityScheme()            .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)            .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)            .name(name);    }​

This is where I get to (unfortunately, it still doesn’t authorize when I test an endpoint)

Finally, this appears to work (using guidance from @indybee):

addSecurityItem()

        .components( new Components()
                .addSecuritySchemes("apiKey", securityScheme("apiKey"))
                .addSecuritySchemes("code", securityScheme("code"))
                )
        .addSecurityItem(new SecurityRequirement().addList("apiKey").addList("code"))

JavaScript
 
        .components( new Components()                .addSecuritySchemes("apiKey", securityScheme("apiKey"))                .addSecuritySchemes("code", securityScheme("code"))                )        .addSecurityItem(new SecurityRequirement().addList("apiKey").addList("code")) ​

Answer

To pass 2 custom headers of “apiKey” and “code” with every request

add this method:

private SecurityScheme securityScheme(String name) {
    return new io.swagger.v3.oas.models.security.SecurityScheme()
        .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)
        .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)
        .name(name);
}

JavaScript
 
private SecurityScheme securityScheme(String name) {    return new io.swagger.v3.oas.models.security.SecurityScheme()        .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)        .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)        .name(name);} ​

and replace your .components() block with following

.components(new Components()
        .addSecuritySchemes("apiKey", securityScheme("apiKey"))
        .addSecuritySchemes("code", securityScheme("code"))
    )

JavaScript
 
.components(new Components()        .addSecuritySchemes("apiKey", securityScheme("apiKey"))        .addSecuritySchemes("code", securityScheme("code"))    )​

Advertisement

Answer