[jira] [Commented] (ATLAS-5309) Allow unauthenticated access to Swagger apidocs static assets

[ASF subversion and git services (Jira)]

    [ 
https://issues.apache.org/jira/browse/ATLAS-5309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18089376#comment-18089376
 ] 

ASF subversion and git services commented on ATLAS-5309:
--------------------------------------------------------

Commit 0a7fc7d533409a8db199e049c7f148f6bee5f9e7 in atlas's branch 
refs/heads/master from pareshd
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=0a7fc7d53 ]

ATLAS-5309 : Allow unauthenticated access to Swagger apidocs static assets 
(#673)

Changes :-
        Added /apidocs/** to security exclusions in AtlasSecurityConfig.java 
and spring-security.xml to allow anonymous access to Swagger UI assets and 
OpenAPI documentation.
        Updated index.js to handle anonymous users and prevent CSRF-related 
JavaScript errors when no session is available.

Testing
        Verified Swagger UI and openapi.json are accessible without 
authentication.
        Confirmed Swagger UI loads successfully for anonymous users.

Co-authored-by: Paresh Devalia <paresh.deva...@cloudera.com>

> Allow unauthenticated access to Swagger apidocs static assets
> -------------------------------------------------------------
>
>                 Key: ATLAS-5309
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5309
>             Project: Atlas
>          Issue Type: Task
>          Components:  atlas-core
>            Reporter: Ramachandran Krishnan
>            Assignee: Paresh Devalia
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: image-2026-06-01-19-05-58-026.png
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When authentication is enabled, {{/apidocs/index.html}} loads but 
> {{openapi.json}} is blocked by Spring Security. Swagger UI then falls back to 
> {{{}swagger.json{}}}, which Enunciate does not generate (OpenAPI 3 only), 
> producing a broken UI.
> Exempt {{/apidocs/**}} from Spring Security (same pattern as static assets 
> and admin status endpoints). Harden Swagger UI JS to skip CSRF setup when no 
> session is available.
> API execution via Try it out still requires authentication.
>  
> This change aligns Atlas with Ranger Admin, which already exempts 
> {{/apidocs/*}} from Spring Security.
> Changes:
>  # {{webapp/.../AtlasSecurityConfig.java}} — add {{/apidocs/**}} to 
> {{web.ignoring()}} so static Swagger UI assets and {{openapi.json}} are 
> served without auth.
>  # {{webapp/src/main/resources/spring-security.xml}} — add {{<security:http 
> pattern="/apidocs/**" security="none" />}} for parity with legacy XML 
> (reference only; Java config is authoritative).
>  # {{build-tools/src/main/resources/ui-dist/index.js}} — if 
> {{/api/atlas/admin/session}} fails (anonymous user), skip CSRF setup instead 
> of throwing when {{response}} is undefined.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)