Geek Culture
Published in

Geek Culture

Filtering Some Methods on Swagger By PermissionID on .Net 6.0

Today we will talk about filtering the swagger. As seen below, our swagger document is public and can be seen by everyone. But what if we don’t want some methods to show up by some clients for security or business decisions.


Swagger methods can be filtered, by using “DocumentFilter”. The key is “swaggerDoc.Paths”. Swagger recognizes methods by their paths. We call it routing. On the below, we see “GetAllUsersByTable()” method’s routing. So swagger know this method as a “/user/getallusersbytable/{tablename}

If we want to hide this method from some users, we have to say to swagger don’t bring this method by its path.

Fill SQL Table By Swagger Document (KEY) Method’s Path:

Firstly we need to collect all these swagger document keys, with a uniqueID in a SQL Table. Create Swagger_Service table as below.

It is time to fill this Swagger_Service table automaticly for once.

DocumentFilter : We need the give a document to swagger for filtering while configuring it. We will create an Empty DocumentFilter as Below. It is inherited from the “IDocumentFilter” interface and Implemented the “Apply()” method.


We have to add this Document Filter to the Swagger in “Startup.cs” on the “AddSwaggerGen()” method for security. And for extra caution, I prefer to remove all Scheme of the methods at the end of the swagger document on the “UseSwaggerUI()” method as below:



We created the Swagger_Service table, which is saved all method’s paths. And we created DocumentFilter. Now it is time to fill all data to MsSqlDB once for all :) This code block must work only once

  • Firstly we got all method’s paths from => “swaggerDoc.Paths
  • We used Entity DBContext for DB tools. We got DBContext by using the “GetVbtContext()” method, which I will show next chapter.
  • We got all Keys and removed the “/api/” tag and converted all characters to lower for more readable data.
  • SwaggerService is our Entity model. We filled it, with all swaggerDoc keys.
  • AddRange(swaggerList) => If (swaggerList.Count > 3) then all data will Bulk Insert to the DB, if the length is less than three, every data will Insert one by one with .Net 6.0 EntityFramework.



This is how we create the Entity VbtContext for using MsSqlDB operations.

After we inserted all keys to the SWAGGER_SERVICE table, they look as below. These keys are all WebService paths that we declared top of the Methods.

Create Dummy Data for Permitted Paths of Users

Now it is time to create dummy data, who can see some methods and who can not.

Create “User_Swagger” Table as below:

  • “UrlId” is the unique id for every user. We could use “IdUser” too. But for security, I preferred at least 6 digits unique number per user. We will use it, for filtering the swagger’s path for every user.
  • “IdUser” is the user’s unique ID. It is related to [DB_USER] table.
  • “IdSwagger” is related to the “[SWAGGER_SERVICE]” table.

Now it is time to fill “User_Swagger” table with Dummy Data

SqlServer(Row SQL): We will execute these queries for creating dummy data of 3 user permissions as seen below.

After we inserted all data into the USER_SWAGGER table, they look as below.

Filtering Swagger Document:

Startup.cs: Firstly, we have to allow access to the HttpContext, to get from anywhere from the project on startup.cs as below.


Now let’s get the parameter “Id” from the URL and filter the swagger.

  • We will get the current HttpContect by using HttpContextAccessor. We will use it for getting the URL path.
  • We will get Url by using “_httpContext”. And parsing ID from URL by using “PareQueryString()” method. And finally, we will check “id” is null or not.
  • We will use Entity 6.0 for DB operations. So we will create “dbContext” with “Using{}”. We will get the all User accessible method’s paths from the “UserSawagger” table by using the unique Url parameter Id. It is unique 6 digit [USER_SWAGGER] UrlId. And we set it swaggerKeys variable.

Not: Don’t forget the use “AsNoTracking()” method for improve entity performance, when only reading data.

  • We will exclude all method paths from the project which is not included in the user’s permitted paths. Long story short, we will get the forbidden paths for this user. And we will remove these excluded paths from the “swaggerDoc.Paths” by using “Remove()” method. And finally, this user will not see some paths, which has or her not permitted to access.



Swagger is a public document. But in some cases, we may want to hide some routes for specific roles or users. One of the important things is, keeping updated to the “USER_SWAGGER” table. In the working process, Controllers can be deleted or Updated. And while the developing period, new controllers can be added. So maybe it is better to update the “USER_SWAGGER” table automatically by using microservice or daily jobs.

For security reasons, if you encrypt the UrlID and decrypt it while reading, could be safer. Because a readable 6 digit number could be easy to remember.

I hope this article helped you to understand how to filter methods on the swagger document. See you later until the next article. Bye.

“If you have read so far, first of all, thank you for your patience and support. I welcome all of you to my blog for more!”




A new tech publication by Start it up (

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bora Kaşmer

I have been coding since 1993. I am computer and civil engineer. Microsoft MVP. Senior Software Architect. Ride motorcycle. Gamer. Have two daughters.