SpringBoot Bug: Security Authentication configuration for Swagger URLs

I have an issue configuring no authentication for URLs used for Swagger UI in my web application when migrating from spring boot 2.7.8 to 3.0.2 (any 3.0.x) Request to the URLs are still rejected with status code 403 access denied.

I reproduced the issue in this project: https://github.com/Simulant87/springboot-swager-authentication-issue

The main branch is based on spring boot 3.0.2 and I configured no authentication required for "swagger-ui/index.html" which is not working https://github.com/Simulant87/springboot-swager-authentication-issue/blob/main/src/main/kotlin/com/example/config/SecurityConfigurer.kt. Compared to the configured endpoints "actuator/health" which is working as expected.

As I said I am migrating my project from spring boot 2.7.8. The configuration based on that version is working and available on this branch https://github.com/Simulant87/springboot-swager-authentication-issue/tree/working-authentication-springboot-2.7.8

Comment From: wilkinsona

The version of Spring Doc that you are using is not compatible with Spring Boot 3.0. As a result, the page at http://localhost:8080/swagger-ui/index.html does not exist. This results in the request being forwarded to Spring Boot's error page at /error. This page is secured so you get a 403 response. You can see this by enabling debug-level logging for org.springframework.security

To fix the problem switch to org.springdoc:springdoc-openapi-starter-webmvc-ui:2.0.2.