How to exclude API endpoints from Security Schema?

[echoAlexey]

Hi!

I would like to exclude API endpoints from security schema. Would this be possible?

Is it possible also to group API and assign different security schemas to it?

Hi,

You can add the security annotations for the secured operations only.

@RestController
@RequestMapping(path = "/demo2",
	produces = MediaType.TEXT_PLAIN_VALUE)
@SecurityScheme(
		name = "bearerToken",
		type = SecuritySchemeType.HTTP,
		scheme = "bearer",
		bearerFormat = "JWT"
)
public class DemoController {

	@PostMapping(value = "/login1", consumes = MediaType.APPLICATION_JSON_VALUE)
	@Operation(summary = "Add a new person to the store", description = "", security = {
			@SecurityRequirement(name = "bearerToken")})
	public Object createAuthenticationToken(
			@RequestBody String authenticationRequest) {
		return null;
	}

	@PostMapping(value = "/login3", consumes = MediaType.APPLICATION_JSON_VALUE)
	@Operation(description =  "hello, no security")
	public Object createAuthenticationToken2(
			@RequestBody String authenticationRequest) {
		return null;
	}
}

if you need to exclide only one operation, there is a related issue on the swagger-core official annotations / jars:

• disable global security for particular operation swagger-api/swagger-core#2844

[bnasslahsen]

You can also use OperationCustomizer (Tested with v1.2.28) : Here is an example, of disabling using Tag name, but it can be on other criterias (method name, ...)

public static final String UNSECURED = "security.open";

@Bean
public OperationCustomizer customize() {
    return (Operation operation, HandlerMethod handlerMethod) -> {
        List<String> tags = operation.getTags();
        if (tags != null && tags.contains(UNSECURED)) {
            operation.setSecurity(Collections.emptyList());
            operation.setTags(tags.stream()
                    .filter(t -> !t.equals(UNSECURED))
                    .collect(Collectors.toList()));
        }
        return operation;
    };
}