search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
25.99k stars 8.86k forks source link

Swagger UI Open API sending 403 response status for POST, PUT and DELETE Requests #7925

Open shilpi-incedo opened 2 years ago

shilpi-incedo commented 2 years ago

Issue : Get request for swagger UI openAPI is working , whereas other method types giving 403 error.

Dependency :

<dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-ui</artifactId>
        <version>1.6.6</version>
</dependency>

Swagger Configuration :

@Configuration
@OpenAPIDefinition(servers = {
        @Server(url = "https://hostname")
})
@SecurityScheme(name = auth, type = SecuritySchemeType.HTTP, bearerFormat = "JWT", scheme = "bearer")
public class SwaggerConfig {
}

Security Configuration :

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**","/v3/api-docs/**");
        }
    }

We have also tried ignoring these paths : /swagger-resources/** , /webjars/** in WebSecurity, still its not working.

image
bielas commented 2 years ago

any news?

jonathanmdr commented 2 years ago

I have the same problem, has any news to share?

shilpi-incedo commented 2 years ago

After analysing further , we found its working fine on our local environments but giving issue on other server as they are hosted behind nginx proxy. Haven't got any good solution to allow this by changing proxy configurations.

S2econdBlue commented 1 year ago

I think it's late but comment this.

[ .anyRequest().authenticated() ] is error of Origin.

But that code is nessesary for security... this is hard..

lcphuoc commented 5 months ago

I also had the same problem, then I changed API testing tool to Insomia, and I called PUT, POST, DELETE request successfully

LKHOJIEV commented 4 months ago 
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http.csrf().disable()
            .authorizeRequests()
            .requestMatchers(
                    "/v1/api/get-token",
                    "/swagger-ui.html",
                    "/swagger-ui/*",
                    "/v3/api-docs/**",
                    "/swagger-resources/**",
                    "/webjars/**").permitAll()
            .anyRequest().authenticated()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().addFilterBefore(jwtAuthorizationFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
}

This is my security config and it is working fine with dependency 
             <dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
        <version>2.0.2</version>
    </dependency>