networknt · stevehu · Aug 12, 2018 · Aug 12, 2018 · Aug 12, 2018 · Aug 12, 2018
diff --git a/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java b/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java
@@ -52,6 +52,7 @@
 public class JwtVerifyHandler implements MiddlewareHandler {
     static final Logger logger = LoggerFactory.getLogger(JwtVerifyHandler.class);
 
+    static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
     static final String ENABLE_VERIFY_SCOPE = "enableVerifyScope";
 
     static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
@@ -64,7 +65,13 @@ public class JwtVerifyHandler implements MiddlewareHandler {
     static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
     static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
 
-    static final Map<String, Object> config = Config.getInstance().getJsonMapConfig(JwtHelper.SECURITY_CONFIG);
+    static Map<String, Object> config;
+    static {
+        // check if openapi-security.yml exist
+        config = Config.getInstance().getJsonMapConfig(OPENAPI_SECURITY_CONFIG);
+        // fallback to generic security.yml
+        if(config == null) config = Config.getInstance().getJsonMapConfig(JwtHelper.SECURITY_CONFIG);
+    }
 
     private volatile HttpHandler next;
 

diff --git a/openapi-security/src/main/resources/config/security.yml b/openapi-security/src/main/resources/config/security.yml
@@ -1,4 +1,6 @@
-# Security configuration in light framework.
+# Security configuration in light framework. This is a generic security config
+# for all frameworks. In most cases, you should just use this file if you have
+# only one framework in your server instance.
 ---
 # Enable JWT verification flag.
 enableVerifyJwt: true

diff --git a/openapi-security/src/test/resources/config/openapi-security.yml b/openapi-security/src/test/resources/config/openapi-security.yml
@@ -0,0 +1,36 @@
+# Security configuration for openapi-security in light-rest-4j. It is a specific config
+# for OpenAPI framework and it can be used if you have other frameworks running in the
+# same server instance and their security configurations are different then the OpenAPI.
+# If this file cannot be found, the generic security.yml will be loaded as a fallback.
+---
+# Enable JWT verification flag.
+enableVerifyJwt: true
+
+# Enable JWT scope verification. Only valid when enableVerifyJwt is true.
+enableVerifyScope: true
+
+# User for test only. should be always be false on official environment.
+enableMockJwt: false
+
+# JWT signature public certificates. kid and certificate path mappings.
+jwt:
+  certificate:
+    '100': oauth/primary.crt
+    '101': oauth/secondary.crt
+  clockSkewInSeconds: 60
+
+# Enable or disable JWT token logging
+logJwtToken: true
+
+# Enable or disable client_id, user_id and scope logging.
+logClientUserScope: false
+
+# Enable JWT token cache to speed up verification. This will only verify expired time
+# and skip the signature verification as it takes more CPU power and long time.
+enableJwtCache: true
+
+# If you are using light-oauth2, then you don't need to have oauth subfolder for public
+# key certificate to verify JWT token, the key will be retrieved from key endpoint once
+# the first token is arrived. Default to false for dev environment without oauth2 server
+# or official environment that use other OAuth 2.0 providers.
+bootstrapFromKeyService: false
diff --git a/openapi-security/src/test/resources/logback-test.xml b/openapi-security/src/test/resources/logback-test.xml
@@ -57,11 +57,11 @@
         </triggeringPolicy>
     </appender>
 
-    <root level="trace">
+    <root level="info">
         <appender-ref ref="stdout" />
     </root>
 
-    <logger name="com.networknt" level="trace">
+    <logger name="com.networknt.config" level="debug">
         <appender-ref ref="log"/>
     </logger>
 

diff --git a/openapi-validator/src/main/java/com/networknt/openapi/ValidatorHandler.java b/openapi-validator/src/main/java/com/networknt/openapi/ValidatorHandler.java
@@ -40,13 +40,20 @@
  * @author Steve Hu
  */
 public class ValidatorHandler implements MiddlewareHandler {
+    public static final String OPENAPI_CONFIG_NAME = "openapi-validator";
     public static final String CONFIG_NAME = "validator";
 
     static final String STATUS_MISSING_OPENAPI_OPERATION = "ERR10012";
 
     static final Logger logger = LoggerFactory.getLogger(ValidatorHandler.class);
 
-    static ValidatorConfig config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(CONFIG_NAME, ValidatorConfig.class);
+    static ValidatorConfig config;
+    static {
+        config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(OPENAPI_CONFIG_NAME, ValidatorConfig.class);
+        if(config == null) {
+            config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(CONFIG_NAME, ValidatorConfig.class);
+        }
+    }
 
     private volatile HttpHandler next;
 

diff --git a/openapi-validator/src/main/resources/config/validator.yml b/openapi-validator/src/main/resources/config/validator.yml
@@ -1,3 +1,5 @@
+# A generic light-4j framework validator configuration. If multiple frameworks are used in the
+# same server instance and they have different configurations. You can use openapi-validator.yml
 ---
 # Enable request validation. Response validation is not done on the server but client.
 enabled: true

diff --git a/openapi-validator/src/test/resources/config/openapi-validator.yml b/openapi-validator/src/test/resources/config/openapi-validator.yml
@@ -0,0 +1,8 @@
+# This is specific OpenAPI validator configuration file. It should be used if you have multiple
+# frameworks implemented in the same server instance and they all need to have different validator
+# configurations. If they share the same validator.yml then you can still use that one.
+---
+# Enable request validation. Response validation is not done on the server but client.
+enabled: true
+# Log error message if validation error occurs
+logError: true
diff --git a/swagger-security/src/main/java/com/networknt/security/JwtVerifyHandler.java b/swagger-security/src/main/java/com/networknt/security/JwtVerifyHandler.java
@@ -53,6 +53,7 @@
 public class JwtVerifyHandler implements MiddlewareHandler {
     static final Logger logger = LoggerFactory.getLogger(JwtVerifyHandler.class);
 
+    static final String SWAGGER_SECURITY_CONFIG = "swagger-security";
     static final String ENABLE_VERIFY_SCOPE = "enableVerifyScope";
 
     static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
@@ -65,7 +66,13 @@ public class JwtVerifyHandler implements MiddlewareHandler {
     static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
     static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
 
-    static final Map<String, Object> config = Config.getInstance().getJsonMapConfig(JwtHelper.SECURITY_CONFIG);
+    static Map<String, Object> config;
+    static {
+        // check if swagger-security.yml exist
+        config = Config.getInstance().getJsonMapConfig(SWAGGER_SECURITY_CONFIG);
+        // fallback to generic security.yml
+        if(config == null) config = Config.getInstance().getJsonMapConfig(JwtHelper.SECURITY_CONFIG);
+    }
 
     private volatile HttpHandler next;
 

diff --git a/swagger-security/src/main/resources/config/security.yml b/swagger-security/src/main/resources/config/security.yml
@@ -1,4 +1,6 @@
-# Security configuration in light framework.
+# Security configuration in light framework. This is a generic security config
+# for all frameworks. In most cases, you should just use this file if you have
+# only one framework in your server instance.
 ---
 # Enable JWT verification flag.
 enableVerifyJwt: true

diff --git a/swagger-security/src/test/resources/config/swagger-security.yml b/swagger-security/src/test/resources/config/swagger-security.yml
@@ -0,0 +1,36 @@
+# Security configuration for swagger-security in light-rest-4j. It is a specific config
+# for Swagger framework and it can be used if you have other frameworks running in the
+# same server instance and their security configurations are different then the Swagger.
+# If this file cannot be found, the generic security.yml will be loaded as a fallback.
+---
+# Enable JWT verification flag.
+enableVerifyJwt: true
+
+# Enable JWT scope verification. Only valid when enableVerifyJwt is true.
+enableVerifyScope: true
+
+# User for test only. should be always be false on official environment.
+enableMockJwt: false
+
+# JWT signature public certificates. kid and certificate path mappings.
+jwt:
+  certificate:
+    '100': oauth/primary.crt
+    '101': oauth/secondary.crt
+  clockSkewInSeconds: 60
+
+# Enable or disable JWT token logging
+logJwtToken: true
+
+# Enable or disable client_id, user_id and scope logging.
+logClientUserScope: false
+
+# Enable JWT token cache to speed up verification. This will only verify expired time
+# and skip the signature verification as it takes more CPU power and long time.
+enableJwtCache: true
+
+# If you are using light-oauth2, then you don't need to have oauth subfolder for public
+# key certificate to verify JWT token, the key will be retrieved from key endpoint once
+# the first token is arrived. Default to false for dev environment without oauth2 server
+# or official environment that use other OAuth 2.0 providers.
+bootstrapFromKeyService: false
diff --git a/swagger-validator/src/main/java/com/networknt/validator/ValidatorHandler.java b/swagger-validator/src/main/java/com/networknt/validator/ValidatorHandler.java
@@ -41,13 +41,21 @@
  * @author Steve Hu
  */
 public class ValidatorHandler implements MiddlewareHandler {
+
+    public static final String SWAGGER_CONFIG_NAME = "swagger-validator";
     public static final String CONFIG_NAME = "validator";
 
     static final String STATUS_MISSING_SWAGGER_OPERATION = "ERR10012";
 
     static final Logger logger = LoggerFactory.getLogger(ValidatorHandler.class);
 
-    static ValidatorConfig config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(CONFIG_NAME, ValidatorConfig.class);
+    static ValidatorConfig config;
+    static {
+        config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(SWAGGER_CONFIG_NAME, ValidatorConfig.class);
+        if(config == null) {
+            config = (ValidatorConfig)Config.getInstance().getJsonObjectConfig(CONFIG_NAME, ValidatorConfig.class);
+        }
+    }
 
     private volatile HttpHandler next;
 

diff --git a/swagger-validator/src/main/resources/config/validator.yml b/swagger-validator/src/main/resources/config/validator.yml
@@ -1,3 +1,5 @@
+# A generic light-4j framework validator configuration. If multiple frameworks are used in the
+# same server instance and they have different configurations. You can use swagger-validator.yml
 ---
 # Enable request validation. Response validation is not done on the server but client.
 enabled: true

diff --git a/swagger-validator/src/test/resources/config/swagger-validator.yml b/swagger-validator/src/test/resources/config/swagger-validator.yml
@@ -0,0 +1,8 @@
+# This is specific Swagger validator configuration file. It should be used if you have multiple
+# frameworks implemented in the same server instance and they all need to have different validator
+# configurations. If they share the same validator.yml then you can still use that one.
+---
+# Enable request validation. Response validation is not done on the server but client.
+enabled: true
+# Log error message if validation error occurs
+logError: true