How do you turn off swagger-ui in production

Question

I have swagger plugged in to my spring boot application. Spring boot allows you to have property files for each environment that you have. Is there a way to disable swagger for a production environment?

Answer 1

Put your swagger configuration into separate configuration class and annotate it with @Profile annotation -> so that it will be scanned into Spring context only in certain profiles.

Example:

@Configuration
@EnableSwagger2
@Profile("dev")
public class SwaggerConfig {
    // your swagger configuration
}

You can than define profile your Spring Boot app is operating in via command line: --spring.profiles.active=dev or via config file: spring.profiles.active=dev .

Read this section of Spring Boot docs for more info about @Profile

Answer 2

If you are working on multiple environments then you can also use @Profile as array

@Configuration
@EnableSwagger2
@Profile({"dev","qa"})
public class SwaggerConfig {
   // your swagger configuration
}

Answer 3

with swagger 3.0.0 version you can add springfox.documentation.enabled=false in corresponding environment profile application.properties file. For example, I have added this to application-prod.properties to disable in production (while running the app you must specify the profile using VM args like -Dspring.profiles.active=prod )

Answer 4

This is my configuration class:

@Configuration
@Profile("swagger")
@EnableSwagger2
public class SwaggerConfig {

    @Value("${info.build.version}")
    private String buildVersion;

    @Bean
    public Docket documentation() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.any())
                .paths(regex("/rest/.*"))
                .build()
                .pathMapping("/")
                .apiInfo(metadata());
    }

    private ApiInfo metadata() {
        return new ApiInfoBuilder()
                .title("API documentation of our App")
                .description("Use this documentation as a reference how to interact with app's API")
                .version(buildVersion)
                .contact(new Contact("Dev-Team", "https://dev-website", "dev@mailbox"))
                .build();
    }
}

Wherever I need Swagger, I add the profile swagger to the environment variable SPRING_PROFILES_ACTIVE

Answer 5

In addition to the answers configuring Spring using a profile , consider having rules on your reverse HTTP proxy to block access to the Swagger end points from outside the LAN. That would give you some defence in depth against attacks on the Swagger end points.

Answer 6

For those that use code gen (which generates Swagger2SpringBoot):

1. Write your own Swagger2SpringBoot (with the @Profile bit) and locate it in the same package path as the autogenerated one.
2. Edit swagger-codegen-maven-plugin to place generated into src/main/java (which will overwrite your own one in point 1.
3. Edit .swagger-codegen-ignore to not overwrite your Swagger2SpringBoot
4. Note other stuff will also be overwritten eg. pom.xml and application.properties. Just add them to .swagger-codegen-ignore too.

Done.

Answer 7

1. have configuration for env

   @Configuration

   @EnableSwagger2

   @Profile("devone")

2. application.yaml

    profiles: active: ${MY_ENV:devone}

MY_ENV you will read from file, like .env

.env file content: MY_ENV=prod

In the production keep other .env file only for production credentials.

Answer 8

An old question, but if you are using SpringDoc v1.2.12+:

springdoc.swagger-ui.enabled=false
springdoc.api-docs.enabled=false

From: https://github.com/springdoc/springdoc-openapi/issues/191#issuecomment-558809236

Answer 9

spring.profiles.active=production with @Profile("!production") worked for me to turn off swagger in prod.

Ex :-

@Profile("!production")
@Component
@EnableSwagger2
public class SwaggerConfig {
       //TODO
}