Spring Boot 3 – Configure Spring Security to Allow Swagger UI
Last updated: October 16, 2024
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITY1. Overview
In this tutorial, we’ll learn how to configure Spring Security to allow access to Swagger UI in a Spring Boot 3 application.
Swagger UI is a tool for documenting APIs. It provides a user-friendly interface to interact with the API and test endpoints. However, when we enable Spring Security in our application, the Swagger UI becomes inaccessible due to security restrictions.
We’ll explore how to set up Swagger in a Spring Boot 3 application and configure Spring Security to allow access to the Swagger UI.
2. Code Setup
Let’s start by setting up our application. We’ll add the necessary dependencies and create a simple controller. We’ll configure Swagger and test that the Swagger UI isn’t accessible. Then we’ll fix it by configuring Spring Security.
2.1. Add Swagger and Spring Security Dependencies
First, we’ll add the necessary dependencies to the pom.xml file:
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.6.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
The springdoc-openapi-starter-webmvc-ui is a Springdoc OpenAPI library that encapsulates Swagger. It contains the required dependencies and annotations to set up Swagger in the application.
The spring-boot-starter-security dependency provides Spring Security for the application. When we add this dependency, Spring Security is enabled by default and blocks access to all URLs.
The spring-boot-starter-web dependency is required to create APIs.
2.2. Controller
Next, let’s create a controller that has an endpoint:
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "Hello, World!";
}
}
When we call the hello endpoint, it returns the string “Hello, World!”.
3. Configure Swagger
Next, let’s configure Swagger. We’ll set up the configuration to enable Swagger and add annotations to the controller.
3.1. Configuration Class
To configure Swagger, we need to create a configuration class:
@Configuration
public class SwaggerConfig {
@Bean
public GroupedOpenApi publicApi() {
return GroupedOpenApi.builder()
.group("public")
.pathsToMatch("/**")
.build();
}
}
Here, we’ve created a SwaggerConfig class and defined a publicApi() method that returns a GroupedOpenApi bean. This bean groups all the endpoints that match the specified path pattern.
We’ve defined a group public in the method and specified the path pattern as “/**”. This means that all the endpoints in the application will be included in this group.
3.2. Swagger Annotations
Next, let’s add Swagger annotations to the controller:
@Operation(summary = "Returns a Hello World message")
@GetMapping("/hello")
public String hello() {
return "Hello, World!";
} We added the @Operation annotation to the hello() method to describe the endpoint. This description will be displayed in the Swagger UI.
3.3. Testing
Now, let’s run the application and test the Swagger UI. By default, the Swagger UI should be accessible at http://localhost:8080/swagger-ui/index.html:
In the above image, we can see that the Swagger UI isn’t accessible. Instead, we’re prompted to enter the username and password. Spring Security wants to authenticate the user before allowing access to the URL.
4. Configure Spring Security to Allow Swagger UI
Now, let’s configure Spring Security to allow access to the Swagger UI. We’ll look at two ways to achieve this: using SecurityFilterChain and WebSecurityCustomizer.
4.1. Using WebSecurityCustomizer
An easy way to exclude paths from Spring Security is by using the WebSecurityCustomizer interface. We can disable Spring Security on specified URLs using this interface.
Let’s define a bean of type WebSecurityCustomizer in a configuration class:
@Configuration
public class SecurityConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.requestMatchers("/swagger-ui/**", "/v3/api-docs*/**");
}
}The @Configuration annotation marks the class as a configuration class. Next, we define a bean of type WebSecurityCustomizer.
Here, we’ve used a lambda expression to define a WebSecurityCustomizer implementation. We’ve used the ignoring() method to exclude the Swagger UI URLs /swagger-ui/** and /v3/api-docs*/** from the security configuration.
This is useful when we want to ignore all security rules on a URL. It’s only recommended if the URL is internal and not public exposed as no security rules will apply to it.
4.2. Using SecurityFilterChain
Another way to override Spring Security’s default implementation is to define a SecurityFilterChain bean. Then we can allow Swagger URLs in the implementation we provide.
For this, we can define a SecurityFilterChain bean:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
authorizeRequests -> authorizeRequests.requestMatchers("/swagger-ui/**")
.permitAll()
.requestMatchers("/v3/api-docs*/**")
.permitAll());
return http.build();
}This method configures the security filter chain to allow access to the Swagger UI URLs:
- We’ve used the authorizeHttpRequests() method to define the authorization rules.
- The requestMatchers() method is used to match the URLs. We’ve specified the Swagger UI URL patterns /swagger-ui/** and /v3/api-docs*/**.
- /swagger-ui/** is the URL pattern for the Swagger UI while /v3/api-docs*/** is the URL pattern for the OpenAPI documentation that Swagger calls to fetch the API information.
- We’ve used the permitAll() method to allow access to these URLs without authentication.
- And finally, we’ve returned the http.build() method to build the security filter chain.
This is the recommended approach to allow unauthenticated requests to certain URL patterns. These URLs will have Spring Security headers in the response. However, they won’t need user authentication.
4.3. Testing
Now, let’s run the application and test the Swagger UI again. The Swagger UI should be accessible now.
As we can see the page is accessible and contains information about our controller endpoint.
5. Conclusion
In this article, we learned how to configure Spring Security to allow access to the Swagger UI in a Spring Boot 3 application. We explored how to exclude the Swagger UI URL from the Spring Security configuration using the SecurityFilterChain and WebSecurityCustomizer interfaces.
