Swagger and Spring Security

If your project uses Spring Security and you have added Swagger to it then there is a little of additional configuration you need to do to make your /v2/api-docs and swagger-ui.html pages work.

Enable Swagger URLs in Spring Security Project

To enable Swagger URLs in a RESTful Web Services project build with Spring Boot and Spring Security Framework, make the following configuration to your Java class which extends the WebSecurityConfigurerAdapter and which is annotated with @EnableWebSecurity annotation.

.antMatchers("/v2/api-docs", "/configuration/**", "/swagger*/**", "/webjars/**")
.permitAll()
.anyRequest().authenticated()

below is an example of my WebSecurity Java class with the needed configuration to enable Swagger URLs.

package com.appsdeveloperblog.app.ws.security;

import com.appsdeveloperblog.app.ws.service.UserService;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {

    private final UserService userDetailsService;
    private final BCryptPasswordEncoder bCryptPasswordEncoder;

    public WebSecurity(UserService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
        this.userDetailsService = userDetailsService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().
                authorizeRequests()
                .antMatchers(HttpMethod.POST, SecurityConstants.SIGN_UP_URL)
                .permitAll()
                .antMatchers("/v2/api-docs", "/configuration/**", "/swagger*/**", "/webjars/**")
                .permitAll()
                .anyRequest().authenticated().and()
                .addFilter( new AuthenticationFilter(authenticationManager()) )
                .addFilter( new AuthorizationFilter( authenticationManager() ))
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        
        http.headers().frameOptions().disable();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
    }
 
}

Once you add the above-mentioned antMatchers to your WebSecurity Java class it should help you to get the /v2/api-docs and swagger-ui.html pages start working. When opening the above URLs do not forget to include the application path you have it configured in your application.properties file. For example, if your application properties file has the following entry:

server.servlet.context-path=/mobile-app-ws
server.port=8888

then you will need to open the /v2/api-docs or the swagger-ui.htm pages this way:

http://localhost:8888/mobile-app-ws/swagger-ui.html

and

http://localhost:8888/mobile-app-ws/v2/api-docs

If you are confused about other details on how to add Swagger to your Spring Boot application have a look at my other tutorial How to Add Swagger to a Spring Boot REST API Project.

To learn more about Swagger and how to work with it, have a look at the below video courses which teach Swagger.