swagger-ui "Try it out" does not observe HTTPS URL. It uses HTTP instead

[jlist9]

Hi all,

The gist of my problem is the "Try it out" button doesn't use the https:// URL that my server is running on. Instead, it tries the "http://" URL. Server sends 302 to redirect HTTP but swagger-ui doesn't redirect. Below is the details.

I'm using swagger-jersey-jaxrs 1.5.3-M1 to dynamically serve swagger.json. I have Jersey2Config in web.xml that sets swagger.api.basepath to /api which is our API base URL. I include a static copy of swagger-ui files on the same web server. Swagger-ui renders the page correctly. However, when I use the "Try it out" button to get a GET comment, swagger-ui shows the moving dots image and the animation never stops. No error is returned in UI. In browser's javascript console, I get an error:

Mixed Content: The page at 'https://<my_internal_host>/swagger-ui/#!/v1/getObject' (modified to remove company specific info) was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<my_internal_host>/api/v1/object' (modified to remove company specific info). This request has been blocked; the content must be served over HTTPS.

If the I replace "http" with "https" in the URL where it's trying to call the API ('http://<my_internal_host>/api/v1/object') everything works. If I use browser with the http URL, it will redirect to the https URL and it works.

So there seems to be two issues here:

1. for some reason swagger-ui is not using the https URL even though swagger-ui itself is served with https URL.

2. even the server returns a HTTP 302 to redirect to https, swagger-ui does not do the redirect.

I'm hoping to find a solution for issue #1. If I do find a solution, I won't hit issue #2. Any help is appreciated!

Jack

[jlist9]

Minor correction - it's probably not swagger-ui's fault that it's not redirecting to https. It's likely that the browser never made that call to http because the main page is loaded with https. The main question still remains - why does swagger-ui use the http URL and not https URL?

[jlist9]

Found the problem. In swagger.json served by the swagger listing resource, "schemes" field has ["http"]. I looked at the source code. "schemes" field is populated from parsing the "swagger.api.basepath" URL. Once I changed it to "https:///api" schemes is populated with ["https"], which is what I wanted. Hope this helps others who have this problem.