问题
So, I started using Swagger. I'm absolutely in love with it's features, but I have some doubts on availability of all methods to public.
As far as I understood - all included in Swaschbuclke "auth" methods are actually about APIs itself, but I don't need help there - all of my APIs are protected by API id/key pair.
I would like to somehow utilise ASP.NET Identity (login system) to restrict access to API page (/swagger/ui/index).
Is there any way? Any methods in Swaschbuckle? Any routes/Identity hacks?
Any help is appreciated.
Edit 1: [ApiExplorerSettings(IgnoreApi = true)] attribute is not what I'm looking for - it restricts all the access to the methods, regardless of Identity.
回答1:
Concerning restricting exposure of individual APIs in your swagger documentation:
Swashbuckle 5.x:
Swashbuckle 5.x has a configuration option called IgnoreObsoleteActions (that you need to set; it isn't enabled by default) that will hide actions if they have the [Obsolete] attribute.
Example: Configuration
httpConfiguration
.EnableSwagger(c =>
{
c.IgnoreObsoleteActions();
});
More info available in the documentation.
Swashbuckle 4.1.x (or if you don't want to use the obsolete attribute):
Swashbuckle builds the swagger documentation on top of IApiExplorer. You should be able to add an attribute -- [ApiExplorerSettings(IgnoreApi = true)] -- to manage ApiExplorerSettings the controller class or individual controller methods to have the explorer (and subsequently, Swashbuckle) ignore them when generating the documentation.
Example: Individual actions
/// Ignore 'GetFoo' in documentation
public class FooBarController
{
[ApiExplorerSettings(IgnoreApi = true)]
public Bar GetFoo
{
...
}
public Bar GetBar
{
...
}
}
Example: Controller classes
/// Ignore every controller method in FooBarController in documentation
[ApiExplorerSettings(IgnoreApi = true)]
public class FooBarController
{
public Bar GetFoo
{
...
}
public Bar GetBar
{
...
}
}
More details in this GitHub Issue. I've used this myself in Swashbuckle 4.1.x.
回答2:
Created new folder called "swagger" in the project root. The folder name should match the url to the swagger documentation.
Added new Web.config file in the newly created folder.
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
answer found here.
Another option will be:
"Off the top of my head I would say a DelegatingHandler is what you need here."
answer found here.
来源:https://stackoverflow.com/questions/33176319/restrict-access-to-certain-api-controllers-in-swagger-using-swashbuckle-and-asp