docs(security): allow /v3/api-docs(.yaml) & Swagger UI when Spring Security is enabled (management port) #3150
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Hi! The external Jenkins failed before the build started. Log shows: git@github.com: Permission denied (publickey). It looks like Jenkins can’t clone the repo over SSH with the configured key. This is a docs-only PR (Fixes #3149). Could a maintainer please update Jenkins credentials (or switch the job to HTTPS) and re-run the job, or merge without CI? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a short note and minimal
SecurityFilterChainexample showing how to permit the OpenAPI and Swagger UI endpoints on the application port when Spring Security is enabled and Actuator runs on a separate management port.Endpoints permitted:
/v3/api-docs/**,/v3/api-docs.yaml,/swagger-ui/**,/swagger-ui.html.Actuator security remains on the management port; this snippet applies only to the application port.
Why
With Spring Boot 3, OpenAPI endpoints and Swagger UI are served on the application port while Actuator runs on the management port. New users frequently see 404/401 for the docs when Spring Security is enabled unless these paths are explicitly permitted. This note removes that ambiguity.
What changed
SecurityFilterChainsnippet that permits:/v3/api-docs/**(JSON endpoints)/v3/api-docs.yaml(YAML root)/swagger-ui/**/swagger-ui.htmlScope
Docs-only; no code changes. Backwards compatible.
Related
Fixes #3149