[
https://issues.apache.org/jira/browse/ATLAS-5309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085230#comment-18085230
]
Ramachandran Krishnan commented on ATLAS-5309:
----------------------------------------------
!image-2026-06-01-19-05-58-026.png!
> Allow unauthenticated access to Swagger apidocs static assets
> -------------------------------------------------------------
>
> Key: ATLAS-5309
> URL: https://issues.apache.org/jira/browse/ATLAS-5309
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Ramachandran Krishnan
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: image-2026-06-01-19-05-58-026.png
>
>
> When authentication is enabled, {{/apidocs/index.html}} loads but
> {{openapi.json}} is blocked by Spring Security. Swagger UI then falls back to
> {{{}swagger.json{}}}, which Enunciate does not generate (OpenAPI 3 only),
> producing a broken UI.
> Exempt {{/apidocs/**}} from Spring Security (same pattern as static assets
> and admin status endpoints). Harden Swagger UI JS to skip CSRF setup when no
> session is available.
> API execution via Try it out still requires authentication.
>
> This change aligns Atlas with Ranger Admin, which already exempts
> {{/apidocs/*}} from Spring Security.
> Changes:
> # {{webapp/.../AtlasSecurityConfig.java}} — add {{/apidocs/**}} to
> {{web.ignoring()}} so static Swagger UI assets and {{openapi.json}} are
> served without auth.
> # {{webapp/src/main/resources/spring-security.xml}} — add {{<security:http
> pattern="/apidocs/**" security="none" />}} for parity with legacy XML
> (reference only; Java config is authoritative).
> # {{build-tools/src/main/resources/ui-dist/index.js}} — if
> {{/api/atlas/admin/session}} fails (anonymous user), skip CSRF setup instead
> of throwing when {{response}} is undefined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
