在SpringBoot中通过配置Swagger权限解决Swagger未授权访问漏洞

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
 
@Configuration
@EnableSwagger2
public class SwaggerConfig {
 
    @Bean
    public Docket api() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.any()) // 对所有API进行扫描
                .paths(PathSelectors.none()) // 不对任何路径进行文档化
                .build()
                .securitySchemes(securitySchemes())
                .securityContexts(securityContexts());
    }
 
    private List<SecurityScheme> securitySchemes() {
        return Collections.singletonList(new ApiKey("JWT", "Authorization", "header"));
    }
 
    private List<SecurityContext> securityContexts() {
        return Collections.singletonList(
                SecurityContext.builder()
                        .securityReferences(defaultAuth())
                        .forPaths(PathSelectors.regex("/api/.*"))
                        .build());
    }
 
    private List<SecurityReference> defaultAuth() {
        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
        authorizationScopes[0] = authorizationScope;
        return Collections.singletonList(new SecurityReference("JWT", authorizationScopes));
    }
}

这段代码配置了Swagger，但是没有对任何接口进行文档化，因此不会暴露任何接口信息，从而避免了未授权访问的问题。这是一个典型的在生产环境中关闭或者限制Swagger访问的配置。