Disable security for one operation using @SecurityRequirements. Fixes #259

Author: bnasslahsen

Diff for: CHANGELOG.md

@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [UnReleased] -
+
 ## [1.2.28] -
 ## Changed
 - Upgrade to spring-boot to 2.2.4.RELEASE

Diff for: springdoc-openapi-common/src/main/java/org/springdoc/core/OpenAPIBuilder.java

@@ -19,6 +19,7 @@
 package org.springdoc.core;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -191,9 +192,14 @@ public Operation buildTags(HandlerMethod handlerMethod, Operation operation, Ope
 		}
 
 		// Handle SecurityRequirement at operation level
-		Optional<io.swagger.v3.oas.annotations.security.SecurityRequirement[]> securityRequirement = securityParser
+		io.swagger.v3.oas.annotations.security.SecurityRequirement[] securityRequirements = securityParser
 				.getSecurityRequirements(handlerMethod);
-		securityRequirement.ifPresent(securityRequirements -> securityParser.buildSecurityRequirement(securityRequirements, operation));
+		if (securityRequirements != null) {
+			if (securityRequirements.length == 0)
+				operation.setSecurity(Collections.emptyList());
+			else
+				securityParser.buildSecurityRequirement(securityRequirements, operation);
+		}
 
 		if (!CollectionUtils.isEmpty(tagsStr)) {
 			operation.setTags(new ArrayList<>(tagsStr));

Diff for: springdoc-openapi-common/src/main/java/org/springdoc/core/SecurityParser.java

@@ -81,7 +81,7 @@ private static boolean isEmpty(OAuthScope[] scopes) {
 		return result;
 	}
 
-	public Optional<io.swagger.v3.oas.annotations.security.SecurityRequirement[]> getSecurityRequirements(
+	public io.swagger.v3.oas.annotations.security.SecurityRequirement[] getSecurityRequirements(
 			HandlerMethod method) {
 		// class SecurityRequirements
 		io.swagger.v3.oas.annotations.security.SecurityRequirements classSecurity = ReflectionUtils
@@ -90,16 +90,16 @@ public Optional<io.swagger.v3.oas.annotations.security.SecurityRequirement[]> ge
 		io.swagger.v3.oas.annotations.security.SecurityRequirements methodSecurity = ReflectionUtils
 				.getAnnotation(method.getMethod(), io.swagger.v3.oas.annotations.security.SecurityRequirements.class);
 
-		Set<io.swagger.v3.oas.annotations.security.SecurityRequirement> allSecurityTags = new HashSet<>();
+		Set<io.swagger.v3.oas.annotations.security.SecurityRequirement> allSecurityTags = null;
 
 		if (classSecurity != null) {
-			allSecurityTags.addAll(Arrays.asList(classSecurity.value()));
+			allSecurityTags = new HashSet<>(Arrays.asList(classSecurity.value()));
 		}
 		if (methodSecurity != null) {
-			allSecurityTags.addAll(Arrays.asList(methodSecurity.value()));
+			allSecurityTags = addSecurityRequirements(allSecurityTags, Arrays.asList(methodSecurity.value()));
 		}
 
-		if (allSecurityTags.isEmpty()) {
+		if (CollectionUtils.isEmpty(allSecurityTags)) {
 			// class SecurityRequirement
 			List<io.swagger.v3.oas.annotations.security.SecurityRequirement> securityRequirementsClassList = ReflectionUtils
 					.getRepeatableAnnotations(method.getBeanType(),
@@ -109,19 +109,21 @@ public Optional<io.swagger.v3.oas.annotations.security.SecurityRequirement[]> ge
 					.getRepeatableAnnotations(method.getMethod(),
 							io.swagger.v3.oas.annotations.security.SecurityRequirement.class);
 			if (!CollectionUtils.isEmpty(securityRequirementsClassList)) {
-				allSecurityTags.addAll(securityRequirementsClassList);
+				allSecurityTags = addSecurityRequirements(allSecurityTags, securityRequirementsClassList);
 			}
 			if (!CollectionUtils.isEmpty(securityRequirementsMethodList)) {
-				allSecurityTags.addAll(securityRequirementsMethodList);
+				allSecurityTags = addSecurityRequirements(allSecurityTags, securityRequirementsMethodList);
 			}
 		}
 
-		if (allSecurityTags.isEmpty()) {
-			return Optional.empty();
-		}
+		return (allSecurityTags != null) ? allSecurityTags.toArray(new io.swagger.v3.oas.annotations.security.SecurityRequirement[0]) : null;
+	}
 
-		return Optional.of(
-				allSecurityTags.toArray(new io.swagger.v3.oas.annotations.security.SecurityRequirement[0]));
+	private Set<io.swagger.v3.oas.annotations.security.SecurityRequirement> addSecurityRequirements(Set<io.swagger.v3.oas.annotations.security.SecurityRequirement> allSecurityTags, List<io.swagger.v3.oas.annotations.security.SecurityRequirement> securityRequirementsClassList) {
+		if (allSecurityTags == null)
+			allSecurityTags = new HashSet<>();
+		allSecurityTags.addAll(securityRequirementsClassList);
+		return allSecurityTags;
 	}
 
 	public Optional<List<SecurityRequirement>> getSecurityRequirements(

Diff for: springdoc-openapi-webmvc-core/src/test/java/test/org/springdoc/api/app76/HelloController.java

@@ -0,0 +1,45 @@
+/*
+ *
+ *  * Copyright 2019-2020 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      https://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package test.org.springdoc.api.app76;
+
+import io.swagger.v3.oas.annotations.security.SecurityRequirements;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+
+@RestController
+public class HelloController {
+
+	@GetMapping("/secure")
+	@ResponseBody
+	public String secured() {
+		return "It works!";
+	}
+
+	@GetMapping("/open")
+	@ResponseBody
+	@SecurityRequirements
+	public String open() {
+		return "It works!";
+	}
+
+
+}

Diff for: springdoc-openapi-webmvc-core/src/test/java/test/org/springdoc/api/app76/SpringDocApp76Test.java

@@ -0,0 +1,49 @@
+/*
+ *
+ *  * Copyright 2019-2020 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      https://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package test.org.springdoc.api.app76;
+
+import java.util.Arrays;
+
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import test.org.springdoc.api.AbstractSpringDocTest;
+
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+
+public class SpringDocApp76Test extends AbstractSpringDocTest {
+
+	@SpringBootApplication
+	static class SpringDocTestApp {
+		@Bean
+		public OpenAPI openAPI() {
+			return new OpenAPI()
+					.components(new Components().addSecuritySchemes("bearer-jwt",
+							new SecurityScheme()
+									.type(SecurityScheme.Type.HTTP)
+									.scheme("bearer")
+									.bearerFormat("JWT"))
+					)
+					.addSecurityItem(
+							new SecurityRequirement().addList("bearer-jwt", Arrays.asList("read", "write")));
+		}
+	}
+}

Diff for: springdoc-openapi-webmvc-core/src/test/resources/results/app76.json

@@ -0,0 +1,73 @@
+{
+  "openapi": "3.0.1",
+  "info": {
+    "title": "OpenAPI definition",
+    "version": "v0"
+  },
+  "servers": [
+    {
+      "url": "http://localhost",
+      "description": "Generated server url"
+    }
+  ],
+  "security": [
+    {
+      "bearer-jwt": [
+        "read",
+        "write"
+      ]
+    }
+  ],
+  "paths": {
+    "/open": {
+      "get": {
+        "tags": [
+          "hello-controller"
+        ],
+        "operationId": "open",
+        "responses": {
+          "200": {
+            "description": "default response",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "security": []
+      }
+    },
+    "/secure": {
+      "get": {
+        "tags": [
+          "hello-controller"
+        ],
+        "operationId": "secured",
+        "responses": {
+          "200": {
+            "description": "default response",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "components": {
+    "securitySchemes": {
+      "bearer-jwt": {
+        "type": "http",
+        "scheme": "bearer",
+        "bearerFormat": "JWT"
+      }
+    }
+  }
+}