How do you turn off swagger-ui in production
I have swagger plugged in to my spring boot application. Spring boot allows you to have property files for each environment that you have. Is there a way to disable swagger for a production environment?
Solution 1:
Put your swagger configuration into separate configuration class and annotate it with @Profile
annotation -> so that it will be scanned into Spring context only in certain profiles.
Example:
@Configuration
@EnableSwagger2
@Profile("dev")
public class SwaggerConfig {
// your swagger configuration
}
You can than define profile your Spring Boot app is operating in via command line: --spring.profiles.active=dev
or via config file: spring.profiles.active=dev
.
Read this section of Spring Boot docs for more info about @Profile
Solution 2:
If you are working on multiple environments then you can also use @Profile as array
@Configuration
@EnableSwagger2
@Profile({"dev","qa"})
public class SwaggerConfig {
// your swagger configuration
}
Solution 3:
with swagger 3.0.0 version you can add springfox.documentation.enabled=false
in corresponding environment profile application.properties
file. For example, I have added this to application-prod.properties
to disable in production (while running the app you must specify the profile using VM args like -Dspring.profiles.active=prod
)
Solution 4:
This is my configuration class:
@Configuration
@Profile("swagger")
@EnableSwagger2
public class SwaggerConfig {
@Value("${info.build.version}")
private String buildVersion;
@Bean
public Docket documentation() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.any())
.paths(regex("/rest/.*"))
.build()
.pathMapping("/")
.apiInfo(metadata());
}
private ApiInfo metadata() {
return new ApiInfoBuilder()
.title("API documentation of our App")
.description("Use this documentation as a reference how to interact with app's API")
.version(buildVersion)
.contact(new Contact("Dev-Team", "https://dev-website", "dev@mailbox"))
.build();
}
}
Wherever I need Swagger, I add the profile swagger
to the environment variable SPRING_PROFILES_ACTIVE
Solution 5:
In addition to the answers configuring Spring using a profile, consider having rules on your reverse HTTP proxy to block access to the Swagger end points from outside the LAN. That would give you some defence in depth against attacks on the Swagger end points.