Often some curious people like to play around with the APIs instead of using GUI. Or they’d like to access things that they are not supposed to. One of the ways to access APIs easily is by using Swagger. It is great and convenient when doing development. It is also useful for public APIs (like Eris) to know how they function. But for private APIs, it is highly recommended to disable Swagger and Swagger-ui when deploying your apps to the production environment. In this article, we discuss how in Spring Boot disable Swagger-ui in the production environment.
Note: this tutorial focuses on the SpringFox Swagger library that as of 2022 is no longer maintained and can not be used with Spring Boot versions newer than 2.3.X. For Springdoc OpenAPI Swagger library, check our disable Springdoc OpenAPI Swagger in the production article.
Maven configuration
Essentially, what we want to achieve is to keep the Swagger-ui activated for any environment (develop, staging, etc.) except production. For that, first, we need to define a profile, let’s say the production profile. For this purpose, the assumption is we are using Maven. So we need to define the production profile in Maven, pom.xml
precisely as follows:
...
<profiles>
<profile>
<id>production</id>
<properties>
<spring.profiles.active>production</spring.profiles.active>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<id>run-app</id>
<phase>compile</phase>
<goals>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
...
Configuring Spring Boot to disable Swagger-ui in Production
Then we need to add a setting in the application.properties
so that we can access the profile within the Spring Boot application,
...
[email protected]@
...
Lastly, we configure the Swagger bean file in the Spring Boot application and disable it for the production profile,
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
import static springfox.documentation.builders.PathSelectors.regex;
@Profile("!production")
@EnableSwagger2
@Configuration
public class SwaggerConfig {
@Bean
public Docket configureSwagger() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.any())
.paths(regex("/v1/.*"))
.build();
}
}
In the above code line @Profile("!production")
tells Spring Boot to inject this config in any profiles except production. Now if you only want to enable it for a particular profile, yet keep it disabled for others, we only need to remove the !
mark and replace production with a different profile name.
How to test whether Swagger-ui is disabled
To test whether Swagger-ui is disabled or not, we don’t need to deploy the application to production. We only need to mimic the production behavior by running the project with the production profile in Maven,
$ mvn clean compile -Pproduction
Deploy it to production
Since we will not run and compile the project in production, we can rely on the -P
argument in Maven. But instead, we can pass the profile as an environment variable. So all we have to do is to override spring.profiles.active
as follows,
$ export SPRING_PROFILES_ACTIVE=production
Conclusion
In this article, we discussed how we can in Spring Boot disable Swagger-ui in the production environment. That is a necessary security measure especially if the API is exposed to the public internet.
And that’s all. Happy deployment!