I have a spring project, where I have to document using swagger
I was able, adapting the solution of this question:
Swagger POST return 403 Forbidden Spring boot Spring security
The resulting code in my Security Configuration is:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/v3/api-docs").permitAll()
.antMatchers("/configuration/ui").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/configuration/security").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-ui/*").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/v3/**").permitAll()
...rest of the configuration
The problem is that I can skip security for the swagger UI on the default path, but I'm required to change it to "api/docs"
I do that by writing in my application.yaml:
springdoc:
swagger-ui:
url: /api/docs
But now I've lost acces again to the swagger-ui
What are the new antMatchers required to be able to acces the swagger-ui at:
localhost:8080/api/docs ?
This is the springdoc dependency I'm using:
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-ui</artifactId>
<version>1.6.11</version>
</dependency>
And this is my security configuration:
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/v2/api-docs").permitAll()
.antMatchers("/configuration/ui").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/configuration/security").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-ui/*").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/v2/**").permitAll()
.antMatchers(HttpMethod.POST, AUTH_REGISTER_URL)
.permitAll()
.antMatchers(HttpMethod.POST, AUTH_LOGIN_URL)
.permitAll()
.antMatchers(HttpMethod.GET, ORGANIZATIONS_PUBLIC_URL)
.permitAll()
.antMatchers(HttpMethod.PATCH, ORGANIZATIONS_PUBLIC_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, USERS_ID_URL)
.hasAnyRole(Role.USER.name(), Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, SLIDES_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.PUT, CATEGORIES_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, CATEGORIES_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, MEMBERS_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, TESTIMONIALS_ID_URL)
.hasAnyRole(Role.USER.name(), Role.ADMIN.name())
.antMatchers(HttpMethod.GET, COMMENTS_URL)
.hasAnyRole(Role.ADMIN.name(), Role.USER.name())
.antMatchers(HttpMethod.DELETE, COMMENTS_ID_URL)
.hasAnyRole(Role.USER.name(), Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, NEWS_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.GET, SLIDES_URL)
.hasAnyRole(Role.ADMIN.name(), Role.USER.name())
.antMatchers(HttpMethod.POST, CATEGORIES_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.GET, CATEGORIES_ID_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.DELETE, SLIDES_ID_URL)
.hasAnyRole(Role.ADMIN.name(), Role.USER.name())
.antMatchers(HttpMethod.POST, SLIDES_URL)
.hasRole(Role.ADMIN.name())
.antMatchers(HttpMethod.PUT, ACTIVITIES_ID_URL)
.hasAnyRole(Role.ADMIN.name())
.antMatchers(HttpMethod.PUT, USERS_ID_URL)
.hasAnyRole(Role.USER.name(), Role.ADMIN.name())
.anyRequest()
.authenticated()
.and()
.addFilterBefore(authorizationFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler())
.authenticationEntryPoint(authenticationEntryPoint());
}
