Spring Boot Security - How to disable security for Swagger UI

Question

I have an application with only REST endpoints. I have enabled oauth2 token security via:

@Configuration
@EnableAuthorizationServer
public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter { 

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()
                .withClient("xxx").secret("xxx").accessTokenValiditySeconds(3600)
                .authorizedGrantTypes("client_credentials")
                .scopes("xxx", "xxx")
            .and()
                .withClient("xxx").secret("xxx").accessTokenValiditySeconds(3600)
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("xxx", "xxx");

    }
}

Now if I try to access any of my endpoints I get 401 Unauthorized, and I first have to get the access_token via the /oauth/token?grant_type=client_credentials or /oauth/token?grant_type=password calls. The REST endpoints work as expected if I add the proper Authorization header with the token returned in previous call.

However, I am unable to access the swagger-ui page. I have enabled swagger via:

@Configuration
@EnableSwagger2
public class SwaggerConfig {
    @Bean
    public Docket productApi() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select().apis(RequestHandlerSelectors.basePackage("com.xxx"))
                .paths(PathSelectors.regex("/xxx/.*"))
                .build();
    }
}

If I go to localhost:8080/swagger-ui.html I get:

<oauth>
    <error_description>
        Full authentication is required to access this resource
    </error_description>
    <error>unauthorized</error>
</oauth>

So I added the following to be able to access Swagger:

@Configuration
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui.html")
                  .antMatchers("/webjars/springfox-swagger-ui/**")
                  .antMatchers("/swagger-resources/**")
                  .antMatchers("/v2/api-docs");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }

}

And in @EnableWebMvc class I added:

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {

   registry.addResourceHandler("swagger-ui.html")
            .addResourceLocations("classpath:/META-INF/resources/");

    registry.addResourceHandler("/webjars/**")
            .addResourceLocations("classpath:/META-INF/resources/webjars/");

}

Now I can access the Swagger UI page, but my security for the REST endpoints is messed up. By that I mean, the client_credentials endpoints no longer require a token, and the password endpoints give a 403 Forbidden no matter what I do.

I think my approach is wrong but I don't know what. Basically I want:

• Oauth token security on all my REST endpoints (beginning with /api/* for example)
• Swagger UI page should be accessible
• The endpoints on the swagger page should have a way to specify the access_token

How do I achieve this?

Answer 1

This is how I fixed it. I removed the class that extends WebSecurityConfigurerAdapter (see above) and replaced with this:

@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

      http.authorizeRequests().antMatchers("/xxx/**").authenticated();          
      http.authorizeRequests().anyRequest().permitAll();
      http.csrf().disable();

    }

}

To enable token authentication on the swagger page I followed this tutorial: http://www.baeldung.com/swagger-2-documentation-for-spring-rest-api