swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard
verified publisher icon swagger-api

Swagger UI Open API sending 403 response status for POST, PUT and DELETE Requests

Open shilpi-incedo opened this issue 3 years ago • 5 comments

Issue : Get request for swagger UI openAPI is working , whereas other method types giving 403 error.

Dependency :

<dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-ui</artifactId>
        <version>1.6.6</version>
</dependency>

Swagger Configuration :

@Configuration
@OpenAPIDefinition(servers = {
        @Server(url = "https://hostname")
})
@SecurityScheme(name = auth, type = SecuritySchemeType.HTTP, bearerFormat = "JWT", scheme = "bearer")
public class SwaggerConfig {
}

Security Configuration :

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**","/v3/api-docs/**");
        }
    }

We have also tried ignoring these paths : /swagger-resources/** , /webjars/** in WebSecurity, still its not working.

image

shilpi-incedo avatar Mar 22 '22 10:03 shilpi-incedo

any news?

bielas avatar Apr 22 '22 12:04 bielas

I have the same problem, has any news to share?

jonathanmdr avatar Jun 09 '22 06:06 jonathanmdr

After analysing further , we found its working fine on our local environments but giving issue on other server as they are hosted behind nginx proxy. Haven't got any good solution to allow this by changing proxy configurations.

shilpi-incedo avatar Jun 09 '22 06:06 shilpi-incedo

I think it's late but comment this.

[ .anyRequest().authenticated() ] is error of Origin.

But that code is nessesary for security... this is hard..

S2econdBlue avatar Nov 08 '22 08:11 S2econdBlue

I also had the same problem, then I changed API testing tool to Insomia, and I called PUT, POST, DELETE request successfully

lcphuoc avatar Jan 11 '24 02:01 lcphuoc 

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http.csrf().disable()
            .authorizeRequests()
            .requestMatchers(
                    "/v1/api/get-token",
                    "/swagger-ui.html",
                    "/swagger-ui/*",
                    "/v3/api-docs/**",
                    "/swagger-resources/**",
                    "/webjars/**").permitAll()
            .anyRequest().authenticated()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().addFilterBefore(jwtAuthorizationFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
}

This is my security config and it is working fine with dependency 
             <dependency>
		<groupId>org.springdoc</groupId>
		<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
		<version>2.0.2</version>
	</dependency>

LKHOJIEV avatar Feb 23 '24 18:02 LKHOJIEV