Securing Your Swagger UI with Basic Authentication (v3.0)
Swagger UI is a powerful tool for showcasing and interacting with your APIs. However, for sensitive APIs, security is paramount. Basic authentication provides a simple yet effective way to protect your API endpoints. This article will guide you through the process of integrating basic authentication into your Swagger UI (v3.0) setup.
The Problem: Unprotected APIs
Imagine you have a fantastic API, beautifully documented with Swagger UI. But, without proper security, anyone can access your sensitive data. You need a way to control access and only allow authorized users to interact with your API.
Setting up Basic Authentication
Here's a step-by-step guide to implement basic authentication in Swagger UI v3.0:
1. Configure your API to use Basic Authentication:
- If you are using Spring Boot, you can utilize
@RestController
and@RequestMapping
annotations, along with@AuthenticationPrincipal
to access the authenticated user information.
@RestController
@RequestMapping("/api")
public class MyController {
@GetMapping("/protected")
public String getProtectedData(@AuthenticationPrincipal User user) {
return "Welcome, " + user.getUsername() + "!";
}
}
2. Create a SecurityConfiguration
class:
- This class is responsible for configuring Swagger UI to handle basic authentication requests.
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-resources/**").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
3. Add springfox-swagger-ui
dependency:
- Ensure you have the following dependency in your project's pom.xml file:
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>3.0.0</version>
</dependency>
4. Update SwaggerConfig
:
- Update the
SwaggerConfig
class to include basic authentication configuration:
@Configuration
public class SwaggerConfig {
@Bean
public Docket api() {
return new Docket(DocumentationType.OAS_30)
.select()
.apis(RequestHandlerSelectors.any())
.paths(PathSelectors.any())
.build()
.securitySchemes(List.of(new SecuritySchemeBuilder()
.type(SecuritySchemeType.HTTP)
.scheme("basic")
.in(SecuritySchemeIn.HEADER)
.name("Authorization")
.reference("BasicAuth")
.build()))
.securityContexts(List.of(SecurityContext.builder()
.securityReferences(List.of(
new SecurityReference("BasicAuth", new AuthorizationScope[]{
new AuthorizationScope("global", "accessEverything")
})
))
.build()));
}
}
5. Accessing Your API:
- When you access your Swagger UI, you will be prompted to enter your username and password. After successful authentication, you can interact with the protected endpoints.
Important Points:
- Make sure your
SecurityConfiguration
class is configured correctly to allow access to the Swagger UI resources and protect other endpoints. - You can customize the
SecurityScheme
andSecurityContext
configurations to meet your specific requirements. - Remember to use a secure protocol like HTTPS for your API, particularly when using basic authentication.
Conclusion:
By implementing basic authentication in your Swagger UI setup, you can protect your sensitive API endpoints effectively. This ensures that only authorized users can access and interact with your data. While basic authentication is simple, it provides a good starting point for securing your APIs. If you need more advanced security features, consider using other authentication mechanisms like OAuth2.
Remember, prioritizing security is crucial for any API, especially when handling sensitive data.