Ramachandran Krishnan created ATLAS-5309:
--------------------------------------------
Summary: Allow unauthenticated access to Swagger apidocs static
assets
Key: ATLAS-5309
URL: https://issues.apache.org/jira/browse/ATLAS-5309
Project: Atlas
Issue Type: Task
Components: atlas-core
Reporter: Ramachandran Krishnan
Fix For: 3.0.0
Attachments: image-2026-06-01-19-05-58-026.png
When authentication is enabled, {{/apidocs/index.html}} loads but
{{openapi.json}} is blocked by Spring Security. Swagger UI then falls back to
{{{}swagger.json{}}}, which Enunciate does not generate (OpenAPI 3 only),
producing a broken UI.
Exempt {{/apidocs/**}} from Spring Security (same pattern as static assets and
admin status endpoints). Harden Swagger UI JS to skip CSRF setup when no
session is available.
API execution via Try it out still requires authentication.
This change aligns Atlas with Ranger Admin, which already exempts
{{/apidocs/*}} from Spring Security.
Changes:
# {{webapp/.../AtlasSecurityConfig.java}} — add {{/apidocs/**}} to
{{web.ignoring()}} so static Swagger UI assets and {{openapi.json}} are served
without auth.
# {{webapp/src/main/resources/spring-security.xml}} — add {{<security:http
pattern="/apidocs/**" security="none" />}} for parity with legacy XML
(reference only; Java config is authoritative).
# {{build-tools/src/main/resources/ui-dist/index.js}} — if
{{/api/atlas/admin/session}} fails (anonymous user), skip CSRF setup instead of
throwing when {{response}} is undefined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
