From abd18f569252a42a652fa31e6153c33907ce5ec1 Mon Sep 17 00:00:00 2001
From: Mykhailo Svishchov <mykhailosvishchov@Mykhailos-MacBook-Air.local>
Date: Thu, 5 Mar 2026 14:50:04 +0200
Subject: [PATCH] swagger fixes

---
 .../honey/honey/config/AdminSecurityConfig.java | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
index 9f3fe7e..42beccd 100644
--- a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
+++ b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
@@ -12,14 +12,13 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -54,19 +53,17 @@ public class AdminSecurityConfig {
         return new ProviderManager(adminAuthenticationProvider());
     }
 
-    /** Permit Swagger UI and OpenAPI docs without authentication (public API documentation). */
+    /**
+     * Ignore Swagger/OpenAPI paths so they bypass Spring Security entirely (no 401).
+     * Using WebSecurityCustomizer is more reliable than a separate SecurityFilterChain on some environments (e.g. Railway).
+     */
     @Bean
-    @Order(1)
-    public SecurityFilterChain swaggerSecurityFilterChain(HttpSecurity http) throws Exception {
-        RequestMatcher swaggerMatcher = new OrRequestMatcher(
+    public WebSecurityCustomizer webSecurityCustomizer() {
+        return web -> web.ignoring().requestMatchers(
                 new AntPathRequestMatcher("/swagger-ui/**"),
                 new AntPathRequestMatcher("/v3/api-docs"),
                 new AntPathRequestMatcher("/v3/api-docs/**")
         );
-        http
-                .securityMatcher(swaggerMatcher)
-                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
-        return http.build();
     }
 
     @Bean