Swagger - Custom authentication for /api-docs

We have have a Spring 5, non-Spring Boot application, using Springfox 2.9.2 + Swagger UI.

I don't know how to secure /api-docs endpoint: I'd like it to call my authentication function each time it's accessed. I made it work for swagger-ui.html, but without success for /api-docs. Here's what I got.

public class SwaggerConfig implements WebMvcConfigurer {

    protected AuthService authService;

    public void addViewControllers(ViewControllerRegistry registry) {

        // registry.addViewController("/docs/swagger/api-docs"); doesnt work
        registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/ui", "/swagger-resources/configuration/ui");
        registry.addRedirectViewController("/docs/swagger/swagger-resources/configuration/security", "/swagger-resources/configuration/security");
        registry.addRedirectViewController("/docs/swagger/swagger-resources", "/swagger-resources");

    class Interceptor implements HandlerInterceptor{
        public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler ) {
                authService.assertAdmin(); // I need to call this
            }catch (Exception e){
                return false;
            return true;

    public void addInterceptors( final InterceptorRegistry registry) {
        registry.addInterceptor(new Interceptor());

    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        // docs/swagger/index.html

        // docs/swagger/webjars

Another option would be to close access to /api-docs permanently and just directly call the method that generates JSON from some new endpoint. Would that be possible?


  • Eventually I solved this by spring security, as @UsamaAmjad proposed.

    open class SecurityInitializer : AbstractSecurityWebApplicationInitializer()
    open class SecurityConfig : WebSecurityConfigurerAdapter() {
        override fun configure(http: HttpSecurity) {
        open fun myFilter() = object : FilterSecurityInterceptor() {
            override fun doFilter(request: ServletRequest?, response: ServletResponse?, chain: FilterChain?) {
                if (do your stuff here) {
                    chain!!.doFilter(request,response) // continue with other filters
                } else {
                    super.doFilter(request, response, chain) // filter this request