2

There is a Spring Boot application that uses Spring Security. Added OpenApi Swagger to the project. The login request returns 403 even though added to permitAll(). Through Postman everything works fine.

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration)
            throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .cors().disable().csrf().disable().authorizeRequests()
                .antMatchers("/api/user/login").permitAll()
                .anyRequest().authenticated();

        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
                           .antMatchers("/v3/api-docs/**")
                           .antMatchers("configuration/**")
                           .antMatchers("/swagger*/**")
                           .antMatchers("/webjars/**")
                           .antMatchers("/swagger-ui/**");
    }
}

I tried to register in the webSecurityCustomizer () method, but still nothing works.

build.gradle:

dependencies {
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.7.2'

    implementation group: 'com.microsoft.sqlserver', name: 'mssql-jdbc', version: '9.4.1.jre16'

    implementation group: 'org.json', name: 'json', version: '20220320'

    implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.6.10'

    implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'

    compileOnly 'org.projectlombok:lombok:1.18.24'

    annotationProcessor 'org.projectlombok:lombok:1.18.24'
}
observer
  • 2,925
  • 1
  • 19
  • 38
Artur Vartanyan
  • 589
  • 3
  • 10
  • 35

2 Answers2

0

try to use this configurations, these works for me `

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests().antMatchers( apiUrl + "/login","/user-openapi/**", "/swagger-ui/**", "/v3/api-docs/**","/index.html").permitAll()
                .anyRequest().authenticated()
                .and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**", "/v3/api-docs/**");
    }

`

knowNothing
  • 92
  • 3
0

I was struggling with the exact same problem. I decided to request for my swagger UI again and at the same time I opened the Developer Options of my Safari Browser, there was the place that I saw what Requests (Paths) are filtered out and Spring Security didn't allow to pass!

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
            http. // ...
            .antMatchers("/api/swagger-ui/**", "/v3/api-docs/**").permitAll()
            // ...

this works for me.

I am using Spring Boot version 2.7.3 and Springdoc-openapi-ui version 1.6.10

incondensable
  • 1
  • 1