0

Issue : Get request for Swagger UI openAPI is working , whereas other method types giving 403 error.

Dependency :

<dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-ui</artifactId>
        <version>1.6.6</version>
</dependency>

Swagger Configuration :

@Configuration
@OpenAPIDefinition(servers = {
        @Server(url = "https://hostname")
})
@SecurityScheme(name = auth, type = SecuritySchemeType.HTTP, bearerFormat = "JWT", scheme = "bearer")
public class SwaggerConfig {
}

Security Configuration :

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**","/v3/api-docs/**");
        }
    }

We have also tried ignoring these paths : /swagger-resources/** , /webjars/** in WebSecurity, still its not working.

Post Request Error message 403

Original Edit : On some further research , found that's it may be because of the nginx proxy. Everything is working fine on my local but not working on other environments that are hosted behind the nginx proxy.

java_developer
  • 1
  • 1
  • 3
  • Does this answer your question? [How to configure Spring Security to allow Swagger URL to be accessed without authentication](https://stackoverflow.com/questions/37671125/how-to-configure-spring-security-to-allow-swagger-url-to-be-accessed-without-aut) – Dimitris Mar 22 '22 at 12:17
  • @Dimitris , tried all the solutions referred in this link , none of them is working . – java_developer Mar 23 '22 at 12:29
  • I have used that in my application and it worked, they way I did it was to whitelist all the endpoints mentioned in that post. To handle it a bit more elegantly I did it also using the @Order annotation. So first I was using my regular security in the @Order(1) and then whitelisting everything swagger related in @Order(2) – Dimitris Mar 23 '22 at 15:06
  • any news how to resolve it? – Jan Testowy Apr 22 '22 at 12:33
  • I tried solution provided by @Dimitris but its not working . On some further research , found that's its because of nginx proxy. Everything is working fine on my local but not working on other environments that are hosted behind the nginx proxy. Haven't found the solution yet. – java_developer Apr 23 '22 at 13:25
  • If it works on your local but not on your proxy, you need to change the topic of your question. This is an nginx issue, what does your nginx.donf looks like? What is the error that you face? – Dimitris Apr 25 '22 at 12:06
  • @Dimitris I'm not actively working on this issue. Will share the further update once I resume working. – java_developer Jun 09 '22 at 06:41

1 Answers1

0

This is my solution described in the comments. I have a also a configuration for @Order(1) that is for the rest of my application.

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] WHITELIST = {
        "/v2/api-docs",
        "/v3/api-docs",
        "/**/v3/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/configuration/ui",
        "/configuration/security",
        "/swagger-ui.html",
        "**/swagger-ui.html",
        "/**/swagger-ui.html**",
        "/swagger-ui.html**",
        "/webjars/**"
};

@Configuration
@Order(2)
public static class SwaggerSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers(WHITELIST).permitAll();
        http.csrf().disable();
    }
}
}
Dimitris
  • 560
  • 3
  • 17