4

i am getting 403 status Forbidden in swagger only for POST method request. I tried all spring security cfg to solve this but only works on the GET methods. I am using spring boot, spring security and swagger. ¿ Could someone please help me ? Here's swagger cfg:

@Configuration
@EnableSwagger2
public class SwaggerConfig {
    
    @Bean
    public Docket api() {
        return new Docket(DocumentationType.SWAGGER_2)  
                .select()                                  
                .apis(RequestHandlerSelectors.any())              
                .paths(PathSelectors.any())                          
                .build();
    }
}

And here's the spring security cfg:

@Configuration
@EnableWebSecurity
public class SecurityCFG extends WebSecurityConfigurerAdapter{
    
    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        PasswordEncoder encoder = encoder();
        auth
          .inMemoryAuthentication()
          .withUser("carlos")
          .password(encoder.encode("admin123"))
          .roles("USER")
          .and()
          .withUser("carlos2")
          .password(encoder.encode("admin123"))
          .roles("USER", "ADMIN");
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
          .antMatchers(
                  "/v2/api-docs", 
                  "/swagger-resources/**",  
                  "/swagger-ui.html", 
                  "/webjars/**" ,
                   /*Probably not needed*/ "/swagger.json")
          .permitAll()
          .anyRequest()
          .authenticated()
          .and()
          .httpBasic();
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/v2/api-docs/**");
        web.ignoring().antMatchers("/swagger.json");
        web.ignoring().antMatchers("/swagger-ui.html");
        web.ignoring().antMatchers("/swagger-resources/**");
        web.ignoring().antMatchers("/webjars/**");
    }
}

Thank for reading!

Gustavo Gutierrez
  • 41
  • 1
  • 1
  • 2
  • I've not seen anything happening with me. I believe it's because you're using http basic. Try using form login instead and see if that allow swagger. – Amit Mishra Nov 14 '20 at 18:50

2 Answers2

5

I had a similar issue the other week, this is how i got mine to work, i needed to add a bunch more matchers than i thought and add in the csrf disable but it seems to work ok.

@Bean(name="configure")
@Conditional(DevConditional.class)
public SecurityWebFilterChain configureDev(ServerHttpSecurity http) throws Exception {
    return http
            .csrf().disable()
            .authorizeExchange()
            .pathMatchers("/v2/api-docs").permitAll()
            .pathMatchers("/configuration/ui").permitAll()
            .pathMatchers("/swagger-resources/**").permitAll()
            .pathMatchers("/configuration/security").permitAll()
            .pathMatchers("/swagger-ui.html").permitAll()
            .pathMatchers("/swagger-ui/*").permitAll()
            .pathMatchers("/webjars/**").permitAll()
            .pathMatchers("/v2/**").permitAll()
            .and().cors()
            .and().oauth2ResourceServer()
            .jwt().and().and().build();
}

I got this ".csrf().disable()" answer from : Spring boot with WebFlux always throw 403 status in tests

octo-carrot
  • 240
  • 1
  • 11
0

I encountered the same problem in Spring Boot 3.

".csrf().disable()" worked for me.

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
            .csrf().disable()
            .authorizeHttpRequests()
            .anyRequest().authenticated()
            .and()
            ...
            ...
            .build();
}
Vüsal Axundzadə
  • 1
  • 1