Allow anonymous access to springdoc-openapi-ui with Spring Security

Additionally to Evgeniy's answer, I'd add the proper configuration to avoid conflicts with document fetching used in Swagger's UI (such js, html, images and other files), also in the SecurityConfig class like this:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
   //Other configuration methods
   
   @Override
   public void configure(WebSecurity web) {
    web.ignoring()
    .antMatchers("/v3/api-docs/**", "/swagger-ui/**");
   }
}

Without this configuration, even though the UI looks like It's loaded, a 401: Unauthorized may arise on the background calls when loading the above mentioned files.


To use springdoc-openapi-ui /swagger-ui.html, allow anonymous access to the following endpoints in the WebSecurityConfigurerAdapter using permitAll method:

  • /v3/api-docs/**
  • /swagger-ui/**
  • /swagger-ui.html

Example:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.
        .authorizeRequests()
        .antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll()
        .anyRequest().authenticated()
        .and()
        .httpBasic(); //or anything else, e.g. .oauth2ResourceServer().jwt()
  }
}

Make sure a project has the following dependencies:

  • org.springdoc:springdoc-openapi-ui
  • org.springdoc:springdoc-openapi-security