Spring Boot Security - How to disable security for Swagger UI


April 2019


3.5k time


I have an application with only REST endpoints. I have enabled oauth2 token security via:

public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter { 

    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

                .scopes("xxx", "xxx")
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("xxx", "xxx");


Now if I try to access any of my endpoints I get 401 Unauthorized, and I first have to get the access_token via the /oauth/token?grant_type=client_credentials or /oauth/token?grant_type=password calls. The REST endpoints work as expected if I add the proper Authorization header with the token returned in previous call.

However, I am unable to access the swagger-ui page. I have enabled swagger via:

public class SwaggerConfig {
    public Docket productApi() {
        return new Docket(DocumentationType.SWAGGER_2)

If I go to localhost:8080/swagger-ui.html I get:

        Full authentication is required to access this resource

So I added the following to be able to access Swagger:

public class ResourceServerConfig extends WebSecurityConfigurerAdapter {

    public void configure(WebSecurity web) throws Exception {

    public void configure(HttpSecurity http) throws Exception {


And in @EnableWebMvc class I added:

public void addResourceHandlers(ResourceHandlerRegistry registry) {




Now I can access the Swagger UI page, but my security for the REST endpoints is messed up. By that I mean, the client_credentials endpoints no longer require a token, and the password endpoints give a 403 Forbidden no matter what I do.

I think my approach is wrong but I don't know what. Basically I want:

  • Oauth token security on all my REST endpoints (beginning with /api/* for example)
  • Swagger UI page should be accessible
  • The endpoints on the swagger page should have a way to specify the access_token

How do I achieve this?

1 answers


This is how I fixed it. I removed the class that extends WebSecurityConfigurerAdapter (see above) and replaced with this:

public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    public void configure(HttpSecurity http) throws Exception {




To enable token authentication on the swagger page I followed this tutorial: http://www.baeldung.com/swagger-2-documentation-for-spring-rest-api