Hey there, let’s work through why your Swagger UI isn’t showing the Bearer token input field—this is a common hiccup when pairing OAuth2 with Swagger, and we can sort it out quickly.

The Core Issue #

Right now, you’re using @ApiImplicitParam to document the Authorization header per endpoint, but Swagger UI won’t automatically render a global token input unless you explicitly define security schemes and contexts in your Swagger configuration. Those per-endpoint annotations help with documentation, but they don’t add the handy "Authorize" button that lets you input a token once for all secured endpoints.

Step 1: Add a Swagger Configuration Class #

Create or update your Swagger config to define the Bearer token security scheme and apply it to all relevant endpoints. Here’s a complete, ready-to-use example:

@Configuration
@EnableSwagger2 // Use @EnableOpenApi instead if you're on Springfox 3.x
public class SwaggerConfig {

    @Bean
    public Docket api() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.basePackage("your.controller.package.here")) // Replace with your actual controller package
                .paths(PathSelectors.any())
                .build()
                // Define the Bearer token authentication scheme
                .securitySchemes(List.of(apiKey()))
                // Apply this security requirement to all endpoints
                .securityContexts(List.of(securityContext()));
    }

    private ApiKey apiKey() {
        // Maps to the "Authorization" header in requests
        return new ApiKey("Bearer", "Authorization", "header");
    }

    private SecurityContext securityContext() {
        return SecurityContext.builder()
                .securityReferences(defaultAuth())
                .forPaths(PathSelectors.regex("/.*")) // Apply to all API paths
                .build();
    }

    private List<SecurityReference> defaultAuth() {
        AuthorizationScope globalScope = new AuthorizationScope("global", "Access all API endpoints");
        return List.of(new SecurityReference("Bearer", new AuthorizationScope[]{globalScope}));
    }
}

Step 2: Whitelist Swagger Paths in Spring Security #

If you have Spring Security enabled, make sure Swagger UI and its related endpoints aren’t blocked by your security rules. Add this to your Spring Security config:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                // Allow unauthenticated access to Swagger resources
                .antMatchers("/swagger-ui/**", "/v2/api-docs", "/swagger-resources/**", "/webjars/**").permitAll()
                // Secure all other endpoints
                .anyRequest().authenticated();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**", "/v2/api-docs", "/swagger-resources/**", "/webjars/**");
    }
}

Step 3: (Optional) Clean Up Per-Endpoint Annotations #

Once the global Swagger security config is in place, you can remove the @ApiImplicitParam from your endpoints if you want—Swagger will automatically document the Authorization header and display the "Authorize" button. If you prefer to keep the annotation for extra clarity, that’s totally fine too; the global config will still handle the UI input field.

Why This Works #

The securitySchemes tells Swagger about the Bearer token authentication method, while securityContext applies this security requirement to all your endpoints. This triggers Swagger UI to render the "Authorize" button, where you can input your Bearer access_token once—after that, it will automatically include the header in all subsequent requests to secured endpoints.

Give these changes a test run—this should resolve the missing token input field issue you’ve been stuck on!

内容的提问来源于stack exchange，提问作者Gabriel Pulga