From ecc887033deca12aca0d59d4620e8bdd9f4c6ec7 Mon Sep 17 00:00:00 2001
From: Paresh Devalia <paresh.devalia@cloudera.com>
Date: Tue, 16 Jun 2026 13:20:05 +0530
Subject: [PATCH] ATLAS-5309 : Allow unauthenticated access to Swagger apidocs
 static assets

Changes :-
	Added /apidocs/** to security exclusions in AtlasSecurityConfig.java and spring-security.xml to allow anonymous access to Swagger UI assets and OpenAPI documentation.
        Updated index.js to handle anonymous users and prevent CSRF-related JavaScript errors when no session is available.

Testing
        Verified Swagger UI and openapi.json are accessible without authentication.
        Confirmed Swagger UI loads successfully for anonymous users.
---
 build-tools/src/main/resources/ui-dist/index.js              | 5 +++++
 .../org/apache/atlas/web/security/AtlasSecurityConfig.java   | 3 ++-
 webapp/src/main/resources/spring-security.xml                | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/build-tools/src/main/resources/ui-dist/index.js b/build-tools/src/main/resources/ui-dist/index.js
index 1644eabc48a..0bf59b62198 100644
--- a/build-tools/src/main/resources/ui-dist/index.js
+++ b/build-tools/src/main/resources/ui-dist/index.js
@@ -128,6 +128,11 @@
     };
     function fetchCsrfHeader() {
         var response = getSessionDetails();
+
+        if (!response) {
+            return;
+        }
+
         if (!csrfEnabled && response['atlas.rest-csrf.enabled']) {
             var str = "" + response['atlas.rest-csrf.enabled'];
             csrfEnabled = (str.toLowerCase() == 'true');
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
index 532f3319caf..4ab0accaa98 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
@@ -190,7 +190,8 @@ public void configure(WebSecurity web) {
                 "/libs/**", "/n/libs/**",
                 "/js/**", "/n/js/**",
                 "/ieerror.html", "/migration-status.html",
-                "/api/atlas/admin/status"));
+                "/api/atlas/admin/status",
+                "/apidocs/**"));
 
         if (!keycloakEnabled) {
             matchers.add("/login.jsp");
diff --git a/webapp/src/main/resources/spring-security.xml b/webapp/src/main/resources/spring-security.xml
index ea41d46ab72..3d2d55bec43 100644
--- a/webapp/src/main/resources/spring-security.xml
+++ b/webapp/src/main/resources/spring-security.xml
@@ -28,6 +28,7 @@
     <security:http pattern="/ieerror.html" security="none" />
     <security:http pattern="/api/atlas/admin/status" security="none" />
     <security:http pattern="/api/atlas/admin/metrics" security="none" />
+    <security:http pattern="/apidocs/**" security="none" />
 
     <security:http create-session="always"
                    entry-point-ref="entryPoint">