Disable security for one operation

[dlamoris]

Hi,
I have a @OpenAPIDefinition with security defined for the whole app, but I want to override and disable security for one method, how can I do that?
Using @Operation(security = {}) on the method doesn't seem to work.
Expected output in yaml is security: [] for that one operation.

Thanks

[springdoc]

Hi,

Can you please add a sample code to reproduce your issue ?

[dlamoris]

application annotations:

@SpringBootApplication(scanBasePackages = "example")
@OpenAPIDefinition(
    info = @Info(
       ...
    ),
    servers = {
    },
    security = {@SecurityRequirement(name = "bearerToken")}
)
@SecurityScheme(
    name = "bearerToken",
    type = SecuritySchemeType.HTTP,
    scheme = "bearer",
    bearerFormat = "JWT"
)
public class ExampleApplication {
   public static void main(String[] args) {
        SpringApplication.run(ExampleApplication.class, args);
    }
}

annotation on controller method:

@RestController
public class AuthenticationController {

    @PostMapping(value = "/login", consumes = MediaType.APPLICATION_JSON_VALUE)
    @Operation(security = {})
    public JwtAuthenticationResponse createAuthenticationToken(
        @RequestBody JwtAuthenticationRequest authenticationRequest) {
   }
}

[springdoc]

Hi,

First of all, please note that we rely on swagger-core official annotations / jars.
There is already an open issue related to your expected behaviour: You can submit your comments here instead.

• disable global security for particular operation swagger-api/swagger-core#2844

You have another option, which is to a add the security annotations for the secured operations only.

@RestController
@RequestMapping(path = "/demo2",
	produces = MediaType.TEXT_PLAIN_VALUE)
@SecurityScheme(
		name = "bearerToken",
		type = SecuritySchemeType.HTTP,
		scheme = "bearer",
		bearerFormat = "JWT"
)
public class DemoController {

	@PostMapping(value = "/login1", consumes = MediaType.APPLICATION_JSON_VALUE)
	@Operation(summary = "Add a new person to the store", description = "", security = {
			@SecurityRequirement(name = "bearerToken")})
	public Object createAuthenticationToken(
			@RequestBody String authenticationRequest) {
		return null;
	}

	@PostMapping(value = "/login3", consumes = MediaType.APPLICATION_JSON_VALUE)
	@Operation(description =  "hello, no security")
	public Object createAuthenticationToken2(
			@RequestBody String authenticationRequest) {
		return null;
	}
}

[mafor]

Hi,

I came across this issue recently. I found a workaround using OpenApiCustomiser, but I would prefer a proper solution. I think it is doable without changes to the swagger-core annotations (not with the Operation annotation, but with an 'empty' SecurityRequirements). It would look like this:

@RestController
public class AuthenticationController {

    @PostMapping(value = "/login", consumes = MediaType.APPLICATION_JSON_VALUE)
    @SecurityRequirements(value = {}) // <- or without 'value', added for clarity
    public JwtAuthenticationResponse createAuthenticationToken(
        @RequestBody JwtAuthenticationRequest authenticationRequest) {
   }
}

It doesn't work out of the box, there are some changes needed in the SecurityParser
Would you mind if I sent you a PR?

[bnasslahsen]

@mafor, your PR is welcome.

[mafor]

Hi @bnasslahsen. Forget it, I see you've done it yourself already.

[bnasslahsen]

Yeah @mafor, i wasn't sure about your feedback. Anyway, the important is that its now shared with the community.