Swagger OpenAPI UI sending 403 response status for POST, PUT and DELETE Requests

Question

Issue : Get request for Swagger UI openAPI is working , whereas other method types giving 403 error.

Dependency :

<dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-ui</artifactId>
        <version>1.6.6</version>
</dependency>

Swagger Configuration :

@Configuration
@OpenAPIDefinition(servers = {
        @Server(url = "https://hostname")
})
@SecurityScheme(name = auth, type = SecuritySchemeType.HTTP, bearerFormat = "JWT", scheme = "bearer")
public class SwaggerConfig {
}

Security Configuration :

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**","/v3/api-docs/**");
        }
    }

We have also tried ignoring these paths : /swagger-resources/** , /webjars/** in WebSecurity, still its not working.

Post Request Error message 403

Original Edit : On some further research , found that's it may be because of the nginx proxy. Everything is working fine on my local but not working on other environments that are hosted behind the nginx proxy.

Answer 1

This is my solution described in the comments. I have a also a configuration for @Order(1) that is for the rest of my application.

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] WHITELIST = {
        "/v2/api-docs",
        "/v3/api-docs",
        "/**/v3/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/configuration/ui",
        "/configuration/security",
        "/swagger-ui.html",
        "**/swagger-ui.html",
        "/**/swagger-ui.html**",
        "/swagger-ui.html**",
        "/webjars/**"
};

@Configuration
@Order(2)
public static class SwaggerSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers(WHITELIST).permitAll();
        http.csrf().disable();
    }
}
}