Configure global token parameters in Swagger3

configuration code

@Configuration
// @Profile()
public class SwaggerConfig {
    
    
    @Bean
    public OpenAPI springShopOpenAPI() {
    
    

        return new OpenAPI()
                .components(components())
                // 2. 再在这里添加上Swagger要使用的安全策略
                // addList()中写上对应的key
                .addSecurityItem(new SecurityRequirement().addList("tokenScheme"));
    }
    // 1. 先在组件中注册安全策略
    private Components components(){
    
    
        return new Components()
        		// 第一个参数是key值，后面是初始化一个安全策略的参数
                .addSecuritySchemes("tokenScheme", new SecurityScheme().type(SecurityScheme.Type.APIKEY).in(SecurityScheme.In.HEADER).name("token"));
    }
}

Open the Swagger page, the effect is as follows:

There is an extra lock symbol on the right, click to output the token value.

After clicking Authorize, the sent request will automatically add a field as token in the request header, and the value is the input value.

Reference link: springdoc-openapi-ui adds a JWT request header parameter to generate swagger

Security policy type SecurityScheme.Type

Note that when initializing the security policy, you can choose a variety of types:

the above example uses the apiKey type, specify the location of the apiKey, and the apiKey can be automatically assigned every time a request is sent.

As shown in the picture above, in addition to this, there are http and other types. Since the author has not touched other types for the time being, I will not explain them, but what is this http security policy? Next, let's find out together.

http security policy

In the http protocol, a security authentication method is also defined, but it may be rarely heard because it is rarely used in practice.

WWW-Authenticate field

We can return a 401 status code in the responseUnauthorized and return the WWW-Authenticate field to tell the client that the interface requires authorization to access, and specify relevant information in the WWW-Authenticate field, such as the use of an identity authentication scheme.

For details, please refer to the MDN document: WWW-Authenticate .

Common identity authentication schemes include Basic , Bearer , etc., which will not be specifically described here.

Authorization

Correspondingly, we also have the **Authorization** field in the request to return the user credentials. The syntax is:

Authorization: <auth-scheme> <authorization-parameters>

The first parameter specifies the authentication scheme used, and the second parameter specifies the authentication parameters.

For details, please refer to the MDN document: Authorization .

Practice in Swagger

In summary, if we want to use the http security policy, we can configure it in Swagger as follows:

private Components components(){
    
    
        return new Components()
                .addSecuritySchemes("tokenScheme", new SecurityScheme().type(SecurityScheme.Type.APIKEY).in(SecurityScheme.In.HEADER).name("token"))
                // type指定为http scheme中指定为bearer
                .addSecuritySchemes("httpTest", new SecurityScheme().type(SecurityScheme.Type.HTTP).scheme("bearer"));
    }

The Swagger page is as follows:

It should be noted that since this is an http security policy, it will only bring the Authorization field in the request header . If our token authentication is to directly read the custom field token in the request header, this setting is invalid.