Spring Boot API documentation UI shows forbidden access error (403) - white label page appears

Noah_Fire · July 24, 2025, 3:09am

Hi everyone! I’m having trouble setting up API documentation in my Spring Boot application. Every time I try to access the documentation UI at http://localhost:8080/swagger-ui.html, I get a 403 forbidden error with a white label page.

Here are my Maven dependencies:

<dependency>
    <groupId>io.springfox</groupId>
    <artifactId>springfox-swagger-ui</artifactId>
    <version>2.9.2</version>
</dependency>
<dependency>
    <groupId>io.springfox</groupId>
    <artifactId>springfox-swagger2</artifactId>
    <version>2.9.2</version>
</dependency>

My documentation configuration class:

public class ApiDocConfig {

    private static final String API_VERSION = "1.0";
    private static final String LICENSE_INFO = "MIT License";
    private static final String apiTitle = "BookStore REST API";
    private static final String apiDescription = "RESTful services for BookStore application";

    private ApiInfo buildApiInfo() {
        return new ApiInfoBuilder()
                .title(apiTitle)
                .description(apiDescription)
                .license(LICENSE_INFO)
                .version(API_VERSION)
                .build();
    }

    @Bean
    public Docket createRestApi() {
        return new Docket(DocumentationType.SWAGGER_2)
                .apiInfo(buildApiInfo())
                .pathMapping("/")
                .select()
                .paths(PathSelectors.regex("/v1.*"))
                .build();
    }
}

And my security configuration:

private static final String[] PUBLIC_URLS = {
        "/v2/api-docs",
        "/swagger-resources",
        "/swagger-resources/**",
        "/configuration/ui",
        "/configuration/security",
        "/swagger-ui.html",
        "/webjars/**"
};

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity.cors().and().csrf().disable().authorizeRequests()
            .antMatchers(HttpMethod.POST, AppConstants.REGISTER_URL).permitAll()
            .antMatchers(AppConstants.BOOKS_PUBLIC, String.valueOf(PUBLIC_URLS)).permitAll()
            .anyRequest().authenticated()
            .and()
            .addFilter(new TokenAuthFilter(authenticationManager()))
            .addFilter(new TokenValidationFilter(authenticationManager()))
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

I’ve tried different approaches but still getting the same white label error. Any ideas what might be wrong?

Liam_25Meditation · August 4, 2025, 2:06pm

you’re mixing up the antMatchers syntax. that String.valueOf(PUBLIC_URLS) is wrong - just use .antMatchers(PUBLIC_URLS).permitAll() without any wrapper. also make sure you added @Configuration @EnableSwagger2 to your ApiDocConfig class, otherwise spring won’t pick it up.

alexlee · August 4, 2025, 5:04am

Your problem is String.valueOf(PUBLIC_URLS) - this converts your array into one big string instead of handling each URL pattern separately. Spring Security can’t recognize the swagger endpoints this way. Just use .antMatchers(PUBLIC_URLS).permitAll() directly and drop the String.valueOf wrapper. Also, your ApiDocConfig class needs @Configuration and @EnableSwagger2 annotations. Without them, Spring won’t register your swagger config at all, which explains the 403 errors.

miat · August 2, 2025, 10:51pm

I encountered the same issue previously, and it can indeed be confusing. The problem lies in how you’re handling the PUBLIC_URLS. Instead of using String.valueOf(PUBLIC_URLS), which amalgamates your array into a single string, you should separate each URL pattern. Modify your security configuration to use .antMatchers(AppConstants.BOOKS_PUBLIC).permitAll().antMatchers(PUBLIC_URLS).permitAll(). Furthermore, ensure that your ApiDocConfig class includes both @Configuration and @EnableSwagger2 annotations, as these are critical for properly registering your Docket bean.