swagger-inflector icon indicating copy to clipboard operation
swagger-inflector copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

Security/Authorization support

Open airicyu opened this issue 8 years ago • 3 comments

The current way of swagger-inflector does not have security/authorization(e.g: API key) checking logic.

If my application's web services have to use API key security check, I have to add the checking logic explicitly to specifying the type and OAuth2 scope etc. Can swagger-inflector make an enhancement so that in my controller method, I can get the current operation definition so that I can read the security scheme defined. Hence, I can then make some security check helpers to do the checking more generally.

I can think of some solutions:

  1. Pass the operation definition as a param in controller factory. e.g: in SwaggerOperationController.java: this.controller = config.getControllerFactory().instantiateController(cls, operation);

I think this is an acceptable solution. We are not forcing the injection of operation object but provide more information and more flexibility to developers which use custom controller factory. They can then store the operation definition and get the security configuration at runtime.

The only drawback is that the controller factory interface is changed.

  1. Pass the operation definition into request context property. This would inject the operation into the request context which may be more aggressive and dirty when compare with the previous solution. But no interface is changed.

airicyu avatar Jun 30 '16 07:06 airicyu

Created a branch for enhancing the controller factory(the solution 1 of above) at #122 . See if you guys think that this change is acceptable.

airicyu avatar Jul 04 '16 02:07 airicyu

The way I've been telling people to handle this is to inject your security logic in your controller class. Since you have the RequestContext, you have all the headers, etc to make the security determination. That keeps it quite flexible.

Please consider that option as well and post back with your feedback.

fehguy avatar Jul 07 '16 16:07 fehguy

Actually what I want to do in my application is to make a middleware which when controller method is called, the middleware can know the operation definition's security setting. With this information, the middleware can do some guard/checking logic automatically. Hence, with the middleware, I can separate the security protection logic from my business logic code in the controller method.

I know that I can get all headers from RequestContext. But at the runtime, I cannot determine whether the current method call is using which security setting(e.g: API key or OAuth2 bearer token). I cannot write the automatic logic mentioned above.

airicyu avatar Jul 07 '16 17:07 airicyu