Ant patterns configuration

Question

I have this Spring configuration and OAuth2:

public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    private static final String RESOURCE_ID = "resource-server-rest-api";
    private static final String SECURED_READ_SCOPE = "#oauth2.hasScope('read')";
    private static final String SECURED_WRITE_SCOPE = "#oauth2.hasScope('write')";
    private static final String SECURED_PATTERN = "/api/**";
    private static final String PUBLIC_PATTERN = "/api/*/public/**";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .cors()
                .and()
                    .anonymous()
                .and()
                    .requestMatchers()
                        .antMatchers(SECURED_PATTERN)
                .and().authorizeRequests()
                        .antMatchers(PUBLIC_PATTERN).permitAll()
                        .antMatchers(HttpMethod.POST, SECURED_PATTERN).access(SECURED_WRITE_SCOPE)
                .anyRequest().access(SECURED_READ_SCOPE);
    }
}

Now I want to add Swagger to my project. I configured a SwaggerController:

@Controller //note - this is a spring-boot controller, not @RestController
public class SwaggerController {

    public static final String SWAGGER_URL = "/api/v1/public/swagger/docs";
    public static final String SWAGGER_HTML = "/swagger-ui.html";

    @RequestMapping(SWAGGER_URL)
    public String home() {
        return "redirect:" + SWAGGER_HTML;
    }
}

The problem is that I cannot make the "/swagger-ui.html" path not to trigger the Spring Login. I tried this (note that I added antMatchers for the Swagger html):

@Override
    public void configure(HttpSecurity http) throws Exception {
        http
                ...
                .and().authorizeRequests()
                        .antMatchers(PUBLIC_PATTERN).permitAll()
                        .antMatchers("/swagger-ui.htm").permitAll()// No authentication

... }

But it did not work. How do I need to configure the HttpSecurity?

Answer 1

So the swagger home page should redirect to /swagger-ui.html ?

If yes, you have a typo when configuring HttpSecurity , which you only type htm only. So change to :

 .antMatchers("/swagger-ui.html").permitAll()

On the other hand , if the swagger home page is /swagger-ui.htm . Then you change the SWAGGER_HTML in your controller to :

 public static final String SWAGGER_HTML = "/swagger-ui.htm";

Answer 2

Add this override:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers(SWAGGER_URL)
            .antMatchers(SWAGGER_HTML);
}