Securing Swagger API Documentation with an API Key (JWT) | FREE COURSE

00:05

hello and welcome to this course

00:06

securing swagger api documentation with

00:09

an api key

00:10

in this course i'm going to show you how

00:12

you can use swagger to create an api

00:14

documentation

00:15

photo api we'll start by defining what

00:18

an api documentation is

00:20

why you would want to create one why you

00:22

might want to use swagger

00:23

for your api documentation then we'll

00:26

move on to the ide

00:27

and i'll show you how to implement and

00:29

configure swagger to require an api key

00:31

for your application

00:33

and finally i'll show you how to build

00:35

an angular application

00:36

where you can send your users to get an

00:38

api key so that they can use it for your

00:40

api

00:41

by the end of this course you will have

00:42

a solid understanding of what an api

00:45

documentation is

00:46

and how to properly create and secure

00:48

api documentation

00:50

using swagger we have a lot to cover in

00:52

this course

00:53

i hope you're excited and i will see you

00:55

in the course

01:06

so this is your api documentation where

01:08

your user would come in to look at your

01:10

api documentation

01:12

and possibly try it out so for instance

01:14

if i go to the

01:16

get request here and i can read about

01:18

this

01:19

and then i can also try it out so i'll

01:21

click on try it out and then

01:22

execute this as you can see here i got

01:25

this four or three forbidden

01:26

so the idea here would be your user

01:29

would go

01:29

to say hey i need to get an api key so

01:32

they'll just go ahead and click here

01:33

and then here i'm gonna go ahead and log

01:35

in with jade and

01:37

i put in my information click on login

01:39

and you can see now i'm logged into the

01:41

frontend application

01:43

and then i would navigate to my security

01:45

tab and then here show token

01:46

well you have to hide the token because

01:48

it's sensitive information and then to

01:50

show the token you would click here and

01:52

then

01:52

click on it and then it says token

01:54

copied and then the user would go back

01:56

here and authorize so they would click

01:58

here

01:58

and then pass in the token and then

02:00

click on authorize

02:02

and then close this and then now if they

02:04

go ahead and say execute again

02:06

you can see now they get an actual

02:07

response so this was the whole

02:09

idea of what i wanted to do with the

02:11

front end and with this api

02:13

documentation application and if you

02:14

guys have any questions uh go ahead and

02:16

reach out to me

02:17

thank you for taking the course i hope

02:19

you find it valuable and i will see you

02:21

guys in the next one

02:27

i wanted to go over the pre-requisite

02:29

for this course

02:30

and this is really something that you

02:32

really have to understand as far as

02:34

understanding how to

02:34

take advantage of this course so let's

02:36

go ahead and get started so the first

02:37

technology

02:38

you need to really understand is java

02:41

because everything is java base for the

02:43

back end

02:43

so you need to understand java the

02:45

spring framework and also spring

02:47

security

02:48

because we're going to be working with

02:49

spring security as well now the reason

02:51

i want to make sure that you understand

02:53

this is because

02:54

we will not be building the application

02:57

that we're going to be working on in

02:58

this course

02:59

we will only be adding the swagger

03:00

configuration on top of this application

03:03

and this application is already using

03:05

java spring framework and spring

03:06

security

03:07

so when i give you the overview of that

03:09

application i'm expecting you to

03:11

understand

03:12

what the application is doing because

03:14

we're not going to go into the basics

03:16

of those technologies so you have to

03:18

understand you know java spring

03:19

framework and spring security

03:21

to some degree and then you need to

03:23

understand application programming

03:25

interface

03:25

because this is a concept that we will

03:27

also be working on since this whole

03:29

application

03:30

at least the back end is an application

03:32

programming interface

03:33

so you need to make sure you understand

03:34

that as well and then a json web token

03:37

so this one web token is going to be

03:39

our api key and you also need to

03:41

understand what that means right so you

03:43

need to understand

03:44

what kind of information a json web

03:46

token is carrying and why it's used and

03:48

things like that so

03:49

make sure you understand on json web

03:51

token and then from the front

03:52

application we'll be building on angular

03:54

applications so i'm expecting you to

03:56

understand the basics of angular and for

03:58

that of course you have to understand

04:00

html css and javascript so

04:02

make sure you get those covered and then

04:04

since angular uses typescript

04:06

so you need to understand typescript as

04:08

well now i'm not

04:10

expecting anyone to be an expert in any

04:12

of those technologies but at least

04:14

you have to be comfortable uh with them

04:16

uh so that you don't get stuck

04:17

during the course so make sure you

04:19

understand those technologies

04:21

well or make sure you're comfortable

04:23

with them uh or even if you get stuck

04:25

then you know how to you know research

04:26

it and fix whatever

04:28

problem that you have but you have to be

04:30

comfortable in those technology

04:36

let's go over the course outline so that

04:38

you guys understand what to expect from

04:40

this course so the first thing i want to

04:42

say

04:43

is this course is not a very long course

04:45

so we're not going to have like a dozen

04:48

sections or anything like that so what

04:50

you're looking at right now is just a

04:52

high level of exactly

04:53

what we're going to be doing in this

04:55

course so the first part is going to be

04:56

for the introductions uh this is the

04:58

part that we

04:59

we're in now and this is just going to

05:01

be me introducing the course to you

05:03

uh telling you how to get the best out

05:04

of this course and etc and the next part

05:06

is going to be me going over

05:08

the concepts with you so i'm going to be

05:10

talking about api documentation

05:12

what is api why do we need api

05:15

documentations what are the advantages

05:17

of having an api documentation

05:19

and why you want to do that and then

05:21

after that we're going to cover swagger

05:23

so

05:23

swagger is like an implementation of an

05:25

api documentation

05:27

or just an api documentation tool just a

05:29

tool that you can use to

05:31

create a documentation for api so we're

05:32

going to go over swagger

05:34

and then i'm going to give you some

05:35

resources as well regarding swagger

05:38

and then we're going to look at an

05:39

overview of the api that we have so

05:42

we're going to start off with some base

05:43

code and i'm going to walk you through

05:45

this code and that's going to be

05:46

our api overview and then i'm also going

05:48

to go over the security aspect of that

05:50

application as well

05:52

so you're gonna understand you know what

05:54

kind of security that the application

05:56

has in place

05:56

and what it's expecting from a user

05:58

trying to access the application

06:00

in order for that user to successfully

06:02

access it and then we're gonna

06:04

put in the configuration for swagger so

06:05

we're going to put this wire

06:06

configuration

06:07

which is going to require us to put in

06:09

an api key in order to be able to access

06:12

the api documentation

06:13

so after that we're going to move over

06:15

to some other swagger annotations and

06:18

those annotations we're mostly going to

06:19

be using

06:20

them in the controller so i'm going to

06:22

show you um how you can customize the

06:24

ui page for swagger and most of that

06:27

those annotations i'm going to be

06:29

putting them in the controller and then

06:30

lastly we're going to build the angular

06:32

app so we're going to start from scratch

06:34

with that application and then build it

06:36

from there now

06:37

as you can see this is a very condensed

06:39

high level

06:40

overview of the course but there's a lot

06:43

more in this course so

06:44

there's no way i'm going to be able to

06:46

you know list every single technology

06:48

that is being used on here

06:49

but at least i hope you guys understand

06:52

what exactly

06:53

we're going to be doing in this course

06:59

i want to talk a little bit about how to

07:01

get the most out of this course and as

07:03

the creator of the course

07:05

i always think that it's a good idea for

07:07

me to actually tell you how to get the

07:09

best out of this course so

07:11

this course is a continuation of a

07:13

security course that i built and

07:15

one of the first thing that i would

07:16

highly recommend every student who want

07:18

to take this course to do

07:20

is to take the security course the

07:21

security course is really a continuation

07:24

of this course now the reason i didn't

07:26

mention this and that we work with it is

07:28

because

07:28

you know there might be some students

07:30

that are already very

07:32

savvy with spanx security so there's no

07:34

point for them to take this spring

07:36

security course that i built

07:38

and i'm going to show that course in a

07:39

second but i would highly encourage

07:41

everyone

07:42

if you're not really good with spanx

07:44

security then you have to take the

07:46

security course first before you can

07:47

take this course

07:48

because this will cover pretty much

07:50

everything you need to know about spanx

07:51

security and json web token

07:53

and how to secure an api using spam

07:55

security and json web token

07:57

and what you're looking at right now is

07:59

the actual course and it's called json

08:01

web token with spring security and

08:02

angular and in that course i

08:04

show how to secure an angular

08:05

application using json web token

08:08

amongst other things so that's the first

08:10

thing i would highly encourage

08:12

everyone to take unless you're really

08:14

good with spring security

08:15

um then you have to take this course

08:17

before you actually take this

08:19

swagger course and this will really help

08:22

you a lot and even the base application

08:23

is the same the base application that

08:25

i'm using

08:26

in this swagger course that application

08:28

is coming from the security course so

08:30

i would highly encourage everyone to

08:32

take the security course

08:33

and then come back to this course to

08:35

understand how we can

08:37

add swagger on top of the security of an

08:40

api

08:41

using a json web token or an api key the

08:43

next thing to get the most out of this

08:45

course is going to be to

08:46

understand json web token because we're

08:49

going to use json web token as our api

08:51

key now

08:52

an api key doesn't necessarily have to

08:54

be a json web token

08:55

it can be any string character that you

08:57

use um

08:58

preferably something that's not really

09:00

easy to read but it can be any string of

09:02

characters so make sure you understand

09:04

json web token and what it means and

09:06

what it why it's used to

09:08

a secure api or why you can use it as an

09:11

api key

09:12

if you want to access the secure api

09:14

application and the next you have to

09:16

watch the lectures remember this is a

09:18

lecture slash

09:19

video based course so you have to watch

09:22

all the lectures

09:23

because this is where the content of the

09:25

course uh actually is

09:26

and this is where you will see what the

09:28

instructor is doing

09:30

uh and the explanation of everything

09:31

that the instructor is doing as well and

09:33

then next you have to use your online

09:35

resources now

09:37

i wouldn't say don't ask a question if

09:38

you have a question but

09:40

if something happens or you're stuck or

09:41

you have a quick question

09:43

i usually just google it because i take

09:45

courses myself so

09:46

if something happened to my application

09:49

or i have an issue or there's something

09:51

that i don't know

09:52

or just something just popped in my head

09:53

while i'm watching the course i would

09:55

just google it

09:56

and if i can't find the solution then i

09:58

would contact the professor

10:00

and or the instructor and see if they

10:02

can answer the question but first i

10:03

would

10:04

definitely use my online resources to

10:06

see if i can find a solution in the next

10:09

i would say if you can you can try to

10:11

code along

10:12

now this is not really required mostly

10:14

if you're already

10:16

experienced so you don't necessarily

10:18

have to code you can just watch what i'm

10:19

doing but

10:20

if you are a newbie then i would

10:21

definitely say if you can code along

10:24

then

10:24

you know try to do that because this is

10:26

going to build uh muscle memory

10:28

along with actual memory of what you're

10:30

learning and this is all going to stick

10:32

together because you know you're going

10:33

to be coding

10:34

writing code and thinking as you do that

10:36

as well so if you code along

10:38

you'll develop those meso memories that

10:40

you need and lastly you can go ahead and

10:41

ask me a question

10:43

so if you're stuck or your application

10:44

is not running or you have just some

10:46

questions or it can actually be any

10:48

question then you can

10:50

reach out in the q a or just send me a

10:51

message um

10:53

and then i will try to answer your

10:55

questions so another thing is i

10:57

answer every question in less than 24

10:59

hours

11:00

so you're not going to be waiting for

11:01

days and me not getting back to you i

11:03

try to answer all questions

11:05

within 24 hours so those are the main

11:07

points that i would say

11:08

um you need to have covered if you want

11:10

to take advantage of this course and get

11:13

the best of this course like i said

11:14

uh the security course really i would

11:17

recommend it because

11:18

the base application we're going to be

11:20

using it's coming straight from this

11:21

course

11:22

and if you don't really know what spanx

11:23

security is or you're not really good

11:25

with spring security you don't really

11:26

understand

11:27

everything about it then i would

11:29

definitely say take the security course

11:30

first

11:31

and then come and take this course

11:38

one of the most important questions that

11:40

we have to answer

11:41

in this course is what exactly is an api

11:44

documentation

11:45

so an api documentation is really just

11:48

something you can deliver to people

11:50

and they can use that to understand

11:52

exactly how to

11:53

effectively use or integrate with your

11:55

api so it's just a way that you're gonna

11:58

be able to tell them

11:58

say hey if you want to use my api here

12:01

is the link or here's the url

12:03

here are the different endpoints and

12:05

this is how you call those endpoints and

12:07

this is these are the parameters that

12:08

you need to pass

12:09

etc so it's really just something you

12:11

can deliver which is why it says the

12:13

technical content deliverable meaning

12:15

you can deliver it

12:16

and it has instructions on how to

12:18

effectively use and integrate with

12:19

your api and i have another more defined

12:22

definition below and i'm not going to

12:24

go ahead and read it to you but it's

12:26

really just saying the same thing hey

12:27

you want to be able to be as

12:29

thorough as possible because there might

12:31

be people that are not developers or

12:33

they're not very tech savvy and they

12:36

might still be able to

12:37

you know go to your api and try to

12:39

understand what it's doing and they

12:40

should be able to understand exactly

12:42

um how to use it and what it's doing i

12:44

mean of course they're not gonna be

12:45

able to understand everything uh like a

12:47

software engineer or

12:49

a developer but they should be able to

12:50

understand exactly

12:52

what the api is and what it's doing and

12:54

how to actually use it to to some degree

12:56

so it's really just a way for you to

12:58

tell people or tell the world

13:00

say hey this is my api and this is how

13:03

you're supposed to use that obviously

13:05

this is a very

13:06

high level summary but you have to be as

13:09

thorough as possible you have to define

13:11

what kind of information you're going to

13:12

give them back how they need to call

13:14

your api

13:15

if there is any authentication that they

13:17

need to do and things like that so it's

13:19

really just

13:20

explaining to people how to use your api

13:28

now the next question that we need to

13:30

answer is

13:31

why would you want to create an api

13:34

documentation so why would you want to

13:35

do that

13:36

well there are many advantages to

13:38

creating an api documentation

13:39

for your api and i've read many articles

13:42

about this there are

13:43

dozens of reasons why you would want to

13:45

do that but i'm just going to go over

13:47

a few of them so the first one we're

13:48

going to look at is going to be

13:50

improved user adaption so if your api

13:53

documentation

13:54

is very nice and detailed and people

13:56

come in and they can use it and it's

13:58

very easy for them to use

14:00

and what this is going to do is just

14:01

gonna make it easier for them to

14:03

use your api because it's very easy to

14:06

understand

14:07

and they love the experience so what's

14:08

gonna happen is they're gonna tell

14:10

other people about that they're gonna

14:12

say hey you should try to

14:13

use this api because they have a very

14:15

nice api documentation

14:17

and everything is going to be easy for

14:18

you and this overall

14:20

improved experience for your developers

14:22

is going to go a very long way because

14:24

you know they will just adapt or use

14:26

your api

14:27

more and more and more because the

14:28

documentation is just so great it makes

14:30

everything so easy to use it the next

14:32

reason you might want to do that

14:33

is to increase awareness so that ties

14:36

into the first point

14:37

so if one person uses your api and they

14:41

like the experience

14:42

and they're just gonna go ahead and tell

14:44

other people and then

14:45

more people are gonna come in and use

14:47

our api which is what you want in the

14:49

long run so those two points they're

14:51

very close to each other

14:52

the first one is just improve the

14:54

experience and as a result

14:56

of that more people are going to use it

14:58

you know people are going to tell

14:59

other people and then more people are

15:01

just going to use your api which is what

15:03

you want in the end

15:04

the next reason you might want to do

15:06

that is because it's going to save you a

15:07

lot of time and

15:08

a lot of money so let's imagine you have

15:11

like some api

15:12

that people can use but you don't have

15:14

an api documentation so

15:16

every time someone needs to use your api

15:18

they're going to have to

15:19

reach out to you or reach out to someone

15:22

in the company or

15:23

one of the owners of the api or someone

15:25

who can answer the question so

15:27

you know you might just be sending

15:28

emails out and you would have to do that

15:31

every time someone needs to use your api

15:33

and that's just gonna cost you time

15:35

and money so that's not the best way to

15:37

do things when you can just

15:38

say hey just go to this website or if

15:41

they google the the google

15:43

api or they you know hey there's this

15:46

company or

15:47

this service have a free api or even if

15:49

it's not free

15:50

or some api that they can use and then

15:52

your api documentation page will come up

15:55

so that will just save you

15:57

uh not having to deal with people coming

15:59

in and asking you directly or sending

16:01

you email

16:02

or whatever the case might be so it's

16:03

going to save you a lot of time

16:05

and with that a lot of money and the

16:07

last point i want to touch on

16:08

is maintenance so if everyone knows

16:11

how the api works and what kind of

16:13

methods and functions

16:15

and domain that is supposed to return

16:17

that's just going to make for

16:18

a better production application because

16:21

in the api documentation you have to be

16:23

very very clear as to what your api is

16:26

doing what's

16:27

returning uh what are the domains like i

16:30

said and what are some of the methods

16:32

etc so since this is already clear it's

16:35

gonna help

16:36

developers internal developers making

16:38

your api

16:39

even better because everyone understands

16:42

how the api works so that's gonna make

16:45

it easier for maintenance whenever you

16:47

have to make changes or to

16:48

improve parts of the api and things like

16:50

that and those are just four reasons

16:52

there's

16:53

way more reasons that i haven't even

16:55

read or i don't even know about

16:57

but it's definitely very important for

16:58

you to have api documentation for

17:01

api because that's just how you're going

17:03

to tell people

17:04

how to use it and integrate with it

17:11

i want to give you guys an overview of

17:13

the base application that we're going to

17:15

start with

17:16

and unlike all my other courses for this

17:18

course we're not going to start from

17:19

scratch because the focus is to create

17:21

the square configuration so i'm going to

17:22

give you a quick walkthrough of the

17:24

application that we're going to start

17:26

with so i'm just going to open my id

17:28

here and let's take a look at the main

17:30

application

17:31

and by the way this application is more

17:33

like an invoice management application

17:36

and the idea is you have some sort of a

17:38

store online or something where like you

17:40

have transactions going on

17:42

and then you have this api where you

17:44

know your clients can come and

17:46

look at invoices and things like that so

17:48

this is the main application class you

17:50

know nothing

17:51

here has been changed it's still the

17:52

same and let's go ahead and take a look

17:54

at the resource so we only have the

17:56

invoice resource here

17:57

just gonna collapse this for now and you

17:59

can see we have the typical risk

18:01

controller because this is a rest avi

18:03

and then we have this injection here

18:05

where we do the dependency injection for

18:07

the invoice service and in here

18:09

we have all of the typical crud

18:11

operations so add update

18:13

get a list of everything get invoices

18:16

for a specific customer

18:17

we can also get an invoice if we know

18:19

the invoice number

18:20

and we can delete an invoice so that's

18:22

just typical

18:23

credit operation nothing too complicated

18:26

here and

18:26

this controller or this rest resource is

18:29

calling

18:30

the service here so let's go ahead and

18:32

take a look at the service

18:34

just gonna click here so the service is

18:36

pretty simple we're just using the gpa

18:38

repository for everything

18:40

as you can see here it's imported here

18:42

and we inject it in this class here

18:44

and for saving an invoice we call the

18:45

save to get all the invoices we call the

18:48

find all

18:49

um we can also find an invoice by the

18:51

invoice number if we can find it we'll

18:53

through this custom exception that i

18:54

created and i'm going to take a look at

18:56

this in a second

18:57

and then we can you know update an

18:59

invoice which is the same as the save

19:00

the only difference is we have to pass

19:02

in the

19:02

primary key for that invoice and we can

19:05

also delete an invoice

19:06

or find invoice by specific customer

19:09

this application

19:10

is really very simple i didn't want to

19:11

add any you know crazy logic

19:13

and here just keeping it simple since

19:15

the point is to just show you how to

19:17

actually create the configuration for

19:19

the actual documentation for this api

19:22

so let's go ahead and take a look at the

19:24

repository here

19:26

since we're injecting it here and we're

19:27

calling it here in this class so the

19:29

repository is very typical

19:30

we just extend the jpa repository pass

19:33

the actual

19:34

model and the primary key for it and

19:36

then we're just using the jpa query

19:38

language and our method name so that we

19:40

can get the information that we need

19:41

from the backend

19:42

and all of this code is gonna be in the

19:44

video resource so you can just go ahead

19:46

and download it

19:47

so that we can get started and then we

19:49

also have the configuration for security

19:51

here

19:52

so i'm just gonna collapse this for now

19:54

and scroll up

19:55

so this is the typical security

19:57

configuration that you would see for

19:59

like a restful api

20:01

build with spring boot so we're just

20:03

allowing here

20:04

all of the resources that swagger needs

20:06

so that we don't black those

20:08

and then everything else you need to be

20:10

authenticated and this is just the

20:11

configuration here

20:13

with the http security and like i

20:15

mentioned before

20:16

the security course is a requirement for

20:18

this course so if you want to understand

20:20

exactly what's going on here in terms of

20:22

the security configurations

20:23

um then you just have to take that

20:25

course and you know pretty much

20:26

everything is going to be almost the

20:27

same

20:28

um i mean the course is going in depth

20:31

into a lot of detail in terms of

20:32

security

20:33

but it's a requirement for this course

20:35

so we're not going to be going over

20:36

everything in details here but please

20:38

what's going on here we have this filter

20:41

that we injecting in this class and we

20:43

pass it in here as a filter

20:45

before every request and then we're just

20:46

saying hey for our statement policy

20:48

we're going to use stateless because

20:50

we're not going to be using session or

20:51

anything that we're going to track

20:53

this is going to be you know every

20:55

request comes in we check

20:56

for an api key so we're not tracking any

20:58

values or any any logged in users or

21:00

anything like that and then down below

21:02

on line 35 we say hey for every url that

21:05

contains these

21:06

paths just allow everyone to access them

21:09

and then for any other request we need

21:11

to authenticate so

21:12

that way we can block every other access

21:14

to the application

21:16

only the swagger resources will pass our

21:19

security filter

21:20

and we can also take a look at this

21:22

filter real quick

21:23

and this filter is pretty much the same

21:26

filter that was built in the security

21:27

course because this course is required

21:29

and all we're doing here is to check to

21:31

make sure that every request coming

21:33

in has on you know a valid api key

21:36

before we allow it to go through the

21:38

application so

21:39

again if you want to understand this you

21:41

have to take the security course because

21:42

this can get a little bit complicated

21:44

and the point of this course is to go

21:46

over the configuration for swagger

21:49

and other things that we have here is

21:50

this utility class that we're using

21:53

and it's using the same library that is

21:54

used in the security course for

21:57

uh you know decoding creating token and

21:59

validating token and things like that

22:01

and we have all of these methods in

22:03

there like i mentioned

22:04

you have to take the security course so

22:05

that you can understand this so even

22:07

though you will have this

22:08

code and your as part of the course you

22:10

need to understand

22:12

everything that's going on here and to

22:13

do that you have to take the security

22:15

course

22:15

since this course is like a continuation

22:18

of the security course

22:19

and then we already looked at the

22:21

service we can take a look at that

22:23

exception

22:24

that i mentioned earlier so this

22:26

exception is just extending the runtime

22:27

exception

22:28

and it's calling the super constructor

22:31

so the constructor in this class

22:33

passing in the message that we're

22:34

passing in here and then we have the

22:36

invoice entity so we can take a look at

22:38

this real quick

22:39

it's annotated with at entity because

22:41

it's going to be saved in a database or

22:42

mapped to a database

22:44

and then we have the you know the

22:45

typical id for the primary key

22:48

the invoice number a list of product on

22:50

a real products

22:51

uh customer name and a total so very

22:53

typical simple poju

22:55

just trying to keep it simple and lastly

22:57

we're going to take a look at our

22:58

configuration so in our

23:00

properties file uh you know i have the

23:02

typical database

23:04

this is digital secret obviously this is

23:06

a joke

23:07

our secret has to be fair secure and has

23:10

to be very complicated string not just

23:12

this word secret

23:13

and then i have the credential for the

23:15

database and some other

23:16

configuration for jpa so

23:20

that's pretty much everything for this

23:21

application again if you don't know how

23:23

to create an api you can take my other

23:25

courses on api

23:27

and if you want to understand the

23:28

security aspect of this how we create

23:30

the security configuration

23:32

and this uh generality filter and this

23:36

dudability utility class that we're

23:37

using to validate the token

23:39

then you have to take the security

23:40

course which is a requirement for taking

23:42

this course because in this course

23:44

we're going to be focusing on creating

23:46

the configuration for swag just make

23:48

sure you remember that because we will

23:49

not

23:50

be building you know all of these in

23:52

this course

23:53

this is something that we already worked

23:54

on in the previous course which is a

23:56

requirement for this course so

23:58

i hope you guys understand this and if

24:00

you have any questions you can just

24:01

reach out to me

24:02

if you have any questions if you want

24:04

coupons or anything like that i can give

24:06

you like

24:07

a discount on the security course but

24:09

it's required for this course so

24:10

any questions just reach out and i'll

24:12

see you guys in the next one

24:18

the first thing we need to do in our app

24:20

to get started with swagger is to add

24:22

the dependency for swagger so let's go

24:24

into the

24:25

pom file so i'm gonna click here and go

24:27

all the way down to the pom file

24:28

gonna collapse this for now and this is

24:31

the dependency that we're gonna need for

24:33

swagger so

24:34

i'm gonna uncomment it so we're gonna be

24:38

using the latest version which is

24:39

version three so you have to make sure

24:41

that you have this dependency here

24:43

well you're gonna have the code so that

24:44

events is probably going to be there

24:46

already

24:47

but this is the dependency that's going

24:48

to bring all of these swagger jars that

24:50

we need

24:51

so that we can create our configuration

24:53

so make sure you have this dependency

24:56

in your application and then in the next

24:58

lecture we're gonna actually get started

25:00

with the actual configuration so i'll

25:02

see you guys in the next one

25:10

let's go ahead and add our swagger

25:11

configuration class

25:13

so i'm going to go ahead and close all

25:14

of these tabs that i'm not using

25:17

and you can create a new package for

25:18

this like a swagger package

25:21

but i'm just going to go ahead and put

25:22

it in this configuration here so i'm

25:24

going to put it in class

25:26

and i'm just going to name it swagger

25:28

config

25:30

you can name it whatever you want just

25:32

make sure it's something that's

25:33

meaningful

25:35

so first thing we want to do here since

25:38

this is the configuration class we want

25:39

to put the add configuration annotation

25:41

on it

25:42

so i'm going to do add and then

25:44

configuration

25:47

and this is supposed to come from spring

25:48

and after that we have a lot of constant

25:52

that we need

25:53

so that we can create the content for

25:54

the page itself so this is like

25:56

something that's going to be up to you

25:58

whatever you want to show when someone

26:00

comes to your api

26:01

what you want them to read about the api

26:03

and things like that so i'm going to go

26:04

ahead and copy and paste those

26:06

constant because they're just constant

26:08

like there's no logic or anything like

26:09

that

26:10

and then i'm gonna walk you through each

26:11

one of them so i'm gonna go ahead and

26:13

paste them i've already copied them

26:15

and put them there as you can see

26:16

they're all just constant so

26:18

the first one is the security reference

26:20

the security reference means

26:22

you know what type of access it's going

26:24

to be and that's a token

26:25

access or api key access in the

26:28

authorization description so

26:30

we're going to tell the user what kind

26:32

of authorization that they're getting

26:34

and this is like full api permission

26:36

because once you get a token then you

26:37

can access all of the endpoints now

26:40

if that specific token um was not going

26:42

to access

26:43

specific endpoints um but only like

26:45

certain endpoints

26:47

then you probably would have to change

26:48

this to be hey this can access

26:50

everything under

26:51

slash whatever or you know or only

26:54

this specific api and then the scope is

26:57

unlimited

26:57

you know the scope of the token is

26:59

unlimited once you have a token then

27:01

you can access everything and this is

27:03

for the contact information so i put

27:05

some dummy email here

27:07

some dummy url here for our organization

27:10

invoice.com

27:11

uh and then to contact me it's gonna be

27:13

like invoice api support you can click

27:16

on that

27:16

and it's gonna take you to this email or

27:18

whatever so that's just going to be the

27:20

text of it i believe

27:21

and then the title of the page so that's

27:23

invoice management api

27:25

and this is the big title that you see

27:27

like in bold

27:28

once you first access the swagger ui

27:30

page and we're going to see that in a

27:32

second

27:32

and this below is the description and

27:34

inside the description

27:36

you can actually put html elements as

27:38

you can see i'm doing here i'm putting

27:40

this note

27:41

in bold so you just put a text in here

27:44

you can see that all this plus to

27:46

concat the text because it's really long

27:48

and inside that string i also

27:50

embed the actual link that i want as you

27:53

can see here

27:54

inside the whole string i put this

27:56

anchor tag here

27:57

and then put the actual url that i want

28:00

whenever they click to get the

28:01

actual api token which is going to be

28:03

the front-end application

28:05

then this is going to take them to this

28:06

and you know i put the target to blank

28:08

so that you can open in a new page and

28:10

if i'm using this backlash is to escape

28:13

this other uh double quote here because

28:16

we're already inside of double quote we

28:17

have the

28:18

terms of service here so you know terms

28:20

of service will go here

28:21

whatever you want them to know the api

28:23

version i just put 1.1

28:25

but that would be the actual api version

28:27

because you might have different version

28:29

the license whatever the license is i'm

28:31

using apache here because i don't have

28:32

an actual license

28:33

and that's the page for that so if they

28:35

want to use more about the licensing

28:37

and the path that we want to secure is

28:40

going to be like every path in the

28:41

application

28:42

except the one that we configure in the

28:44

security configuration

28:46

if you guys remember so if we go to the

28:47

secure configuration except those paths

28:49

right here

28:50

because um those are needed whenever we

28:53

try to access the

28:54

swagger ui because then he needs to go

28:57

ahead and fetch some

28:58

jars and things like that so we have to