ignore Authentication in controller params. Fixes #245

Author: springdoc

springdoc-openapi-common/src/main/java/org/springdoc/core/AbstractRequestBuilder.java

@@ -1,6 +1,7 @@
 package org.springdoc.core;
 
 import com.fasterxml.jackson.annotation.JsonView;
+import io.swagger.v3.oas.annotations.Hidden;
 import io.swagger.v3.oas.models.Components;
 import io.swagger.v3.oas.models.Operation;
 import io.swagger.v3.oas.models.media.Schema;
@@ -9,6 +10,7 @@
 import org.springdoc.core.RequestInfo.ParameterType;
 import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
 import org.springframework.core.annotation.AnnotatedElementUtils;
+import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.method.HandlerMethod;
@@ -32,6 +34,7 @@ public abstract class AbstractRequestBuilder {
     private final AbstractParameterBuilder parameterBuilder;
     private final RequestBodyBuilder requestBodyBuilder;
     private final OperationBuilder operationBuilder;
+    public static List<Class> PARAM_TYPES_TO_IGNORE = new ArrayList<>();
 
     protected AbstractRequestBuilder(AbstractParameterBuilder parameterBuilder, RequestBodyBuilder requestBodyBuilder,
                                      OperationBuilder operationBuilder) {
@@ -41,7 +44,9 @@ protected AbstractRequestBuilder(AbstractParameterBuilder parameterBuilder, Requ
         this.operationBuilder = operationBuilder;
     }
 
-    protected abstract boolean isParamTypeToIgnore(Class<?> paramType);
+    protected boolean isParamTypeToIgnore(Class<?> paramType){
+        return false;
+    }
 
     public Operation build(Components components, HandlerMethod handlerMethod, RequestMethod requestMethod,
                            Operation operation, MethodAttributes methodAttributes) {
@@ -110,7 +115,7 @@ protected boolean isParamToIgnore(java.lang.reflect.Parameter parameter) {
         if (parameter.isAnnotationPresent(PathVariable.class)) {
             return false;
         }
-        return parameterBuilder.isAnnotationToIgnore(parameter) || isParamTypeToIgnore(parameter.getType());
+        return parameterBuilder.isAnnotationToIgnore(parameter) || isParamTypeToIgnore(parameter.getType()) || PARAM_TYPES_TO_IGNORE.contains(parameter.getType()) || (AnnotationUtils.findAnnotation(parameter.getType(), Hidden.class) != null);
     }
 
     private void setParams(Operation operation, List<Parameter> operationParameters, RequestBodyInfo requestBodyInfo) {

springdoc-openapi-kotlin/src/main/java/org/springdoc/core/KotlinCoroutinesRequestBuilder.java

@@ -6,23 +6,19 @@
 import org.springframework.stereotype.Component;
 import org.springframework.web.method.HandlerMethod;
 
-import java.util.List;
-
 @Primary
 @Component
 public class KotlinCoroutinesRequestBuilder extends AbstractRequestBuilder {
 
-    private final List<AbstractRequestBuilder> requestBuilders;
 
     public KotlinCoroutinesRequestBuilder(AbstractParameterBuilder parameterBuilder, RequestBodyBuilder requestBodyBuilder,
-                                          OperationBuilder operationBuilder, List<AbstractRequestBuilder> requestBuilders) {
+                                          OperationBuilder operationBuilder) {
         super(parameterBuilder, requestBodyBuilder, operationBuilder);
-        this.requestBuilders = requestBuilders;
     }
 
     @Override
     protected boolean isParamTypeToIgnore(Class<?> paramType) {
-        return paramType.isAssignableFrom(Continuation.class) || requestBuilders.stream().anyMatch(builder -> builder.isParamTypeToIgnore(paramType));
+        return paramType.isAssignableFrom(Continuation.class);
     }
 
     @Override

springdoc-openapi-security/src/main/java/org/springdoc/core/IgnoredParameterAnnotationsWithSecurity.java

@@ -1,6 +1,7 @@
 package org.springdoc.core;
 
 import org.springframework.context.annotation.Primary;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.stereotype.Component;
 
@@ -12,5 +13,4 @@ public class IgnoredParameterAnnotationsWithSecurity implements IgnoredParameter
     public boolean isAnnotationToIgnore(java.lang.reflect.Parameter parameter) {
         return parameter.isAnnotationPresent(AuthenticationPrincipal.class);
     }
-
 }

springdoc-openapi-security/src/main/java/org/springdoc/core/IgnoredParameterTypes.java

@@ -0,0 +1,11 @@
+package org.springdoc.core;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+@Component
+public class IgnoredParameterTypes {
+    static {
+        AbstractRequestBuilder.PARAM_TYPES_TO_IGNORE.add(Authentication.class);
+    }
+}

springdoc-openapi-security/src/test/java/test/org/springdoc/api/app2/app1/HelloController.java

@@ -0,0 +1,16 @@
+package test.org.springdoc.api.app2.app1;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class HelloController {
+
+
+    @GetMapping
+    public Object doPost(@RequestBody String req, org.springframework.security.core.Authentication auth) {
+        return null;
+    }
+
+}

springdoc-openapi-security/src/test/java/test/org/springdoc/api/app2/app1/SpringDocApp2Test.java

@@ -0,0 +1,7 @@
+package test.org.springdoc.api.app2.app1;
+
+import test.org.springdoc.api.AbstractSpringDocTest;
+
+public class SpringDocApp2Test extends AbstractSpringDocTest {
+
+}

springdoc-openapi-security/src/test/java/test/org/springdoc/api/app2/app1/SpringDocTestApp.java

@@ -0,0 +1,24 @@
+package test.org.springdoc.api.app2.app1;
+
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.info.License;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+
+@SpringBootApplication
+@ComponentScan(basePackages = {"org.springdoc", "test.org.springdoc.api.app2"})
+public class SpringDocTestApp {
+    public static void main(String[] args) {
+        SpringApplication.run(SpringDocTestApp.class, args);
+    }
+
+    @Bean
+    public OpenAPI customOpenAPI() {
+        return new OpenAPI()
+                .info(new Info().title("Security API").version("v1")
+                        .license(new License().name("Apache 2.0").url("http://springdoc.org")));
+    }
+}

springdoc-openapi-security/src/test/resources/results/app2.json

@@ -0,0 +1,50 @@
+{
+  "openapi": "3.0.1",
+  "info": {
+    "title": "Security API",
+    "license": {
+      "name": "Apache 2.0",
+      "url": "http://springdoc.org"
+    },
+    "version": "v1"
+  },
+  "servers": [
+    {
+      "url": "",
+      "description": "Generated server url"
+    }
+  ],
+  "paths": {
+    "/": {
+      "get": {
+        "tags": [
+          "hello-controller"
+        ],
+        "operationId": "doPost",
+        "parameters": [
+          {
+            "name": "req",
+            "in": "query",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "default response",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "object"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "components": {}
+}

springdoc-openapi-webflux-core/src/main/java/org/springdoc/core/RequestBuilder.java

@@ -2,7 +2,6 @@
 
 import io.swagger.v3.oas.models.Operation;
 import org.springframework.http.HttpMethod;
-import org.springframework.http.server.ServerHttpResponse;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.validation.BindingResult;
@@ -22,20 +21,30 @@ public RequestBuilder(AbstractParameterBuilder parameterBuilder, RequestBodyBuil
         super(parameterBuilder, requestBodyBuilder, operationBuilder);
     }
 
-    @Override
-    protected boolean isParamTypeToIgnore(Class<?> paramType) {
-        return WebRequest.class.equals(paramType) || NativeWebRequest.class.equals(paramType)
-                || java.security.Principal.class.equals(paramType) || HttpMethod.class.equals(paramType)
-                || java.util.Locale.class.equals(paramType) || java.util.TimeZone.class.equals(paramType)
-                || java.time.ZoneId.class.equals(paramType) || java.io.InputStream.class.equals(paramType)
-                || java.io.Reader.class.equals(paramType) || java.io.OutputStream.class.equals(paramType)
-                || java.io.Writer.class.equals(paramType) || java.util.Map.class.equals(paramType)
-                || org.springframework.ui.Model.class.equals(paramType) || ServerHttpRequest.class.equals(paramType)
-                || org.springframework.ui.ModelMap.class.equals(paramType) || ServerHttpResponse.class.equals(paramType)
-                || Errors.class.equals(paramType) || BindingResult.class.equals(paramType) || ServerWebExchange.class.equals(paramType)
-                || SessionStatus.class.equals(paramType) || UriComponentsBuilder.class.equals(paramType);
+    static {
+        PARAM_TYPES_TO_IGNORE.add(WebRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(NativeWebRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(java.security.Principal.class);
+        PARAM_TYPES_TO_IGNORE.add(HttpMethod.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.Locale.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.TimeZone.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.InputStream.class);
+        PARAM_TYPES_TO_IGNORE.add(java.time.ZoneId.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.Reader.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.OutputStream.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.Writer.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.Map.class);
+        PARAM_TYPES_TO_IGNORE.add(org.springframework.ui.Model.class);
+        PARAM_TYPES_TO_IGNORE.add(ServerHttpRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(org.springframework.ui.ModelMap.class);
+        PARAM_TYPES_TO_IGNORE.add(Errors.class);
+        PARAM_TYPES_TO_IGNORE.add(BindingResult.class);
+        PARAM_TYPES_TO_IGNORE.add(ServerWebExchange.class);
+        PARAM_TYPES_TO_IGNORE.add(SessionStatus.class);
+        PARAM_TYPES_TO_IGNORE.add(UriComponentsBuilder.class);
     }
 
+
     @Override
     protected Operation customiseOperation(Operation operation, HandlerMethod handlerMethod) {
         return operation;

springdoc-openapi-webmvc-core/src/main/java/org/springdoc/core/RequestBuilder.java

@@ -1,8 +1,6 @@
 package org.springdoc.core;
 
-import io.swagger.v3.oas.annotations.Hidden;
 import io.swagger.v3.oas.models.Operation;
-import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.http.HttpMethod;
 import org.springframework.stereotype.Component;
 import org.springframework.validation.BindingResult;
@@ -22,24 +20,32 @@ public RequestBuilder(AbstractParameterBuilder parameterBuilder, RequestBodyBuil
         super(parameterBuilder, requestBodyBuilder, operationBuilder);
     }
 
-    @Override
-    protected boolean isParamTypeToIgnore(Class<?> paramType) {
-        return WebRequest.class.equals(paramType) || NativeWebRequest.class.equals(paramType)
-                || javax.servlet.ServletRequest.class.equals(paramType)
-                || javax.servlet.ServletResponse.class.equals(paramType)
-                || javax.servlet.http.HttpServletRequest.class.equals(paramType)
-                || javax.servlet.http.HttpServletResponse.class.equals(paramType)
-                || javax.servlet.http.HttpSession.class.equals(paramType)
-                || java.security.Principal.class.equals(paramType) || HttpMethod.class.equals(paramType)
-                || java.util.Locale.class.equals(paramType) || java.util.TimeZone.class.equals(paramType)
-                || java.time.ZoneId.class.equals(paramType) || java.io.InputStream.class.equals(paramType)
-                || java.io.Reader.class.equals(paramType) || java.io.OutputStream.class.equals(paramType)
-                || java.io.Writer.class.equals(paramType) || java.util.Map.class.equals(paramType)
-                || org.springframework.ui.Model.class.equals(paramType)
-                || org.springframework.ui.ModelMap.class.equals(paramType) || RedirectAttributes.class.equals(paramType)
-                || Errors.class.equals(paramType) || BindingResult.class.equals(paramType)
-                || SessionStatus.class.equals(paramType) || UriComponentsBuilder.class.equals(paramType)
-                || (AnnotationUtils.findAnnotation(paramType, Hidden.class) != null);
+    static {
+        PARAM_TYPES_TO_IGNORE.add(WebRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(NativeWebRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.ServletRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.ServletResponse.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.http.HttpServletRequest.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.http.HttpServletResponse.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.http.HttpSession.class);
+        PARAM_TYPES_TO_IGNORE.add(java.security.Principal.class);
+        PARAM_TYPES_TO_IGNORE.add(javax.servlet.http.HttpSession.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.Locale.class);
+        PARAM_TYPES_TO_IGNORE.add(HttpMethod.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.TimeZone.class);
+        PARAM_TYPES_TO_IGNORE.add(java.time.ZoneId.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.InputStream.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.Reader.class);
+        PARAM_TYPES_TO_IGNORE.add(java.io.OutputStream.class);
+        PARAM_TYPES_TO_IGNORE.add(java.util.Map.class);
+        PARAM_TYPES_TO_IGNORE.add(org.springframework.ui.Model.class);
+        PARAM_TYPES_TO_IGNORE.add(org.springframework.ui.ModelMap.class);
+        PARAM_TYPES_TO_IGNORE.add(RedirectAttributes.class);
+        PARAM_TYPES_TO_IGNORE.add(Errors.class);
+        PARAM_TYPES_TO_IGNORE.add(BindingResult.class);
+        PARAM_TYPES_TO_IGNORE.add(SessionStatus.class);
+        PARAM_TYPES_TO_IGNORE.add(UriComponentsBuilder.class);
+        PARAM_TYPES_TO_IGNORE.add(BindingResult.class);
     }
 
     @Override