Skip to content
Advertisement

Spring Boot, Swagger and Authorisation

I have a Spring Boot API that uses Springdoc (Swagger). The API has security with “apiKey” and “code” fields being passed in the header. I am having difficulty configuring Swagger correctly to enable the Authentication function in the Swagger UI. This is the configuration:

@Bean
public OpenAPI alartaCoreAdtAPI() {
    return new OpenAPI()
            .addSecurityItem(new SecurityRequirement().addList("BASIC"))
            .components(
               new Components()
                   .addSecuritySchemes("BASIC",
                       new SecurityScheme()
                           .type(SecurityScheme.Type.HTTP)
                           .scheme("basic")
                           .name("code")
                                            
                   )
            )               

              .info(new Info().title(config.getApiTitle())
              .description(config.getApiDescription())
              .version(config.getApiVersion())
              .license(new 
             License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl())))
);
  } 

I know this is incorrect, but are unsure how to configure it.

Any assistance appreciated.

Attempts at solution: from @indybee recommendation:

@Bean
    public OpenAPI alartaCoreAdtAPI() {
        return new OpenAPI()
                
                .addSecurityItem(new SecurityRequirement().addList("BASIC"))
                  
                .components( new Components()
                        .addSecuritySchemes("apiKey", securityScheme("apiKey"))
                        .addSecuritySchemes("code", securityScheme("code"))
                        )

                  .info(new Info().title(config.getApiTitle())
                  .description(config.getApiDescription())
                  .version(config.getApiVersion())
                  .license(new License().name(config.getApiLicenseTitle()).url(config.getApiLicenseUrl())))
                  );
      } 
    
    private SecurityScheme securityScheme(String name) {
        return new io.swagger.v3.oas.models.security.SecurityScheme()
            .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)
            .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)
            .name(name);
    }

This is where I get to (unfortunately, it still doesn’t authorize when I test an endpoint)

enter image description here

Finally, this appears to work (using guidance from @indybee):

addSecurityItem()

        .components( new Components()
                .addSecuritySchemes("apiKey", securityScheme("apiKey"))
                .addSecuritySchemes("code", securityScheme("code"))
                )
        .addSecurityItem(new SecurityRequirement().addList("apiKey").addList("code")) 

Advertisement

Answer

To pass 2 custom headers of “apiKey” and “code” with every request

add this method:

private SecurityScheme securityScheme(String name) {
    return new io.swagger.v3.oas.models.security.SecurityScheme()
        .type(io.swagger.v3.oas.models.security.SecurityScheme.Type.APIKEY)
        .in(io.swagger.v3.oas.models.security.SecurityScheme.In.HEADER)
        .name(name);
} 

and replace your .components() block with following

.components(new Components()
        .addSecuritySchemes("apiKey", securityScheme("apiKey"))
        .addSecuritySchemes("code", securityScheme("code"))
    )

Authorize dialog

curl command

Advertisement