[
https://issues.apache.org/jira/browse/CXF-8636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544936#comment-17544936
]
Amichai Rothman commented on CXF-8636:
--------------------------------------
After digging a bit deeper, and better understood what was wrong and why the
docs are still confusing:
* The workaround is activated only if the SwaggerUIConfig exists, it has a url
property, and either doesn't have the queryConfigEnabled or has it set to
'false'. or inversely: it does not work out of the box (when no config exists),
does not work if a url is not set (which is not apparent from the docs - the
query parameter exists but is ignored and only the config url is used), or if
queryConfigEnabled is set to 'true'.
* I went straight for the latest swagger-ui 4.11.1, but as it turns out, the
CXF 3.5.2 workaround is broken on it. The last swagger-ui for which CXF 3.5.2
still works is 4.8.1. It looks like the workaround may have been updated to
work with newer swagger-ui only in newer CXF, hopefully backwards-compatible
with all the intermediate swagger-ui versions as well.
* The url query parameter is still added and redirected to, but then ignored
(only url from config is used).
So in short,it works with CXF 3.5.2 but only up to swagger-ui 4.8.1, with an
explicit SwaggerUIConfig with explicit url and false or unset
queryConfigEnabled.
To save others a few hours of work, I think a fuller explanation with all the
details should be updated in the docs (both for swagger and openapi features).
I hope this helps...
> Swagger2Feature: Can't set url in UI through SwaggerUiConfig
> ------------------------------------------------------------
>
> Key: CXF-8636
> URL: https://issues.apache.org/jira/browse/CXF-8636
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.5.0, 3.4.5
> Reporter: Markus Plangg
> Assignee: Andriy Redko
> Priority: Minor
> Fix For: 3.4.6, 3.5.1, 4.0.0
>
>
> I've included the swagger ui by adding a dependency on org.webjars:swagger-ui.
> The
> [Documentation|https://cxf.apache.org/docs/swagger2feature.html#Swagger2Feature-ConfiguringSwaggerUI(3.2.7+)]
> mentions that the swagger UI can be configured through SwaggerUiConfig which
> sets config as query params.
>
> Since [swagger ui
> 4.1.3|https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3] passing
> the default url as query parameter, e.g. `?url=swagger.json` is disabled by
> default due to security concerns. Instead the default swagger PetStore
> definition is loaded.
>
> It's possible to restore the old behaviour by setting queryConfigEnabled, but
> I couldn't find a way to set this. Of course enabling this also brings back
> the security issue.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
