昨天下午收到安全部门发的测试报告，被告知线上文档和部分接口存在未授权可以直接访问的漏洞。尝试在过滤器里面屏蔽对应接口，但依然未能解决。于是乎，尝试了网络上面的几种方案以后，最终处理妥当。具体如下：

import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.MethodParameter;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;

import java.util.Arrays;
import java.util.List;

/**
 * @Author zf
 * @ClassName SwaggerAdvice.java
 * @Description 用于控制api-docs开关，通过ResponseBodyAdvice配合@ControllerAdvice注解，在请求响应体返回之前，校验请求URL。
 * @ProjectName api-boot
 */
@RestControllerAdvice
public class SwaggerAdvice implements ResponseBodyAdvice {

    @Value("${swagger.enable}")
    private boolean swaggerEnable;

    private static final List<String> EXCLUDE_URL = Arrays.asList("/v2/api-docs");

    @Override
    public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
        String url = serverHttpRequest.getURI().getHost() + serverHttpRequest.getURI().getPath();
        //增加判断，只有配置文件打开了swagger才能访问。
        if(swaggerEnable == true){
            return o;
        }
        if (EXCLUDE_URL.stream().anyMatch(item -> url.contains(item))) {
            serverHttpResponse.setStatusCode(HttpStatus.FORBIDDEN);
            return "没有权限！";
        }
        return o;
    }

    @Override
    public boolean supports(MethodParameter methodParameter, Class aClass) {
        return true;
    }
}

application.yml：

#swagger开关
swagger:
  enable: false