Ability to disable swagger-ui default petstore url

[alfonz19]

We are deploying to production environment. If someone opens default swagger page without configUrl specified, it's completely NOT ok, to display some playground petstore app.

by setting property( is placeholder):

springdoc.swagger-ui.configUrl=/<contextPath>/v3/api-docs

I'd expect that this configUrl will be opened if configUrl is not present in URL, however it seems, that if I put this configuration here, I won't be able to use url:

http://localhost:8080/<contextPath>/swagger-ui/index.html?configUrl=/<contextPath>/v3/api-docs

and will get PetStore undesirable even for this URL. Either I'm misreading documentation or this is a bug.

Regardless of that — I understand, that this behavior goes back to swagger_ui and their targetting of their product for non-prod environment. The web/stackoverflow/... provides examples how to block this behavior, but the suggestions are rather ridiculous(rebuilding swagger), or not appliable (because requires javascript customization of swagger). Can you suggest correct solution? I don't want to see any possibility to reach PetStore nonsense or any other config other than what we provided on our URL. If someone wants to use PetStore app, he can surely do it elsewhere. Currently we have to do it via spring resource transformer just to force swagger to good behavior.

[bnasslahsen]

@alfonz19,

This behaviour is not related directly to sprindoc-openapi, but to swagger-ui project:

• urls option from custom swagger-config.yaml ignored. swagger-api/swagger-ui#6019
• Configure swagger-ui-dist URL server side swagger-api/swagger-ui#5710

It is a duplicate of: #43, #379 and #660.

Our goal is not to change the behaviour of the swagger-ui. But to build on top of it.
I see that there is a lot of demand on disabling this default url, because its understandable from a security perspective that some organisations don't want to serve the default swagger-ui petstore url.

So waiting for the swagger-ui to address issue, we can add a property to disable it on the springdoc side, and hide all the additional configuration of adding spring resource transformer.

[alfonz19]

Ok, so there is currently no way, how to correctly block it somehow from your side?

What we probably will endup using is setting springdoc.swagger-ui.layout to BaseLayout (which seems not to be the default values as your documentation says, since wihout it I'm getting StandaloneLayout) and filtering requests to overwrite all incorrect swagger requests(like removing layout or chagning configuration) to correct one. It's very bad solution, but I'm not aware of any better. Are you?

And how do you explain described behavior of configUrl?
springdoc.swagger-ui.configUrl

[bnasslahsen]

As explained, you can use spring resource transformer to block. We will see if we can add it on springdoc property which is not the best choice.

springdoc.swagger-ui.configUrl is mapping of on the swagger-ui property: configUrl

• https://springdoc.org/springdoc-properties.html#swagger-ui-properties
• https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/

You can have a look at the documentation of configurl, which serves all the configuration of the swagger and ( url/urls are only one of the fields returned by the configurl):

• This property will not help you change anything about the default url, without extra code.

The layout setting depend on the experience you want to offer to the user. There is no bad choice on that. It depends on your own context.

[bnasslahsen]

Starting from the next release v1.4.1, the following property will be added to disable the swagger-ui default petstore url:

springdoc.swagger-ui.disable-swagger-default-url=true

@alfonz19, you can validate it with the latest snapshot which is already deployed.

[alfonz19]

Thank you very much!

[alfonz19]

Tested it, it works. Thanks again.

[sourabhparsekar]

springdoc.swagger-ui.disable-swagger-default-url=true

THis is not working for me in 1.4.4 version :(

[bnasslahsen]

@sourabhparsekar,

It's just deployed using the last stable version (v1.4.8) without any issue: You can see the petstore url is disabled here:

• http://158.101.164.60:8081/swagger-ui/index.html

If you have having any difficulties, you can have a look at the sample configuration for this sample:

• https://github.com/springdoc/springdoc-openapi-demos/tree/master/springdoc-openapi-spring-boot-2-webmvc

If you are still facing problems, please help to speed up problem diagnosis by providing as much information as possible, by providing a Minimal, Reproducible Example - with HelloController that reproduces the problem:

• https://github.com/springdoc/springdoc-openapi/blob/master/CONTRIBUTING.adoc

[sourabhparsekar]

@bnasslahsen - Yes, after changing to v1.4.8, it works as expected. 👍

[RyanHolstien]

Same, changing to 1.5.4 version in the same project correctly prevents the default page from loading.