Swagger UI stopped working since 2.8.x

[GMishx]

Describe the bug

I am using org.springdoc:springdoc-openapi-starter-webmvc-ui and org.springdoc:springdoc-openapi-starter-common in the project sw360 to document the REST API with OpenAPI docs. I added the webmvc-ui as documented to get the Swagger UI working.

It was working fine until we upgraded to v2.8.4 and ever since the swagger UI stopped working.

However, even with old version and new version, I can keep getting the OpenAPI doc via /v3/api-docs endpoint without any issue.

The response for /swagger-ui/index.html always return multipart/byterange with 206 status:

$ curl -Lvv 'http://localhost:8080/resource/swagger-ui/index.html'
* processing: http://localhost:8080/resource/swagger-ui/index.html
*   Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET /resource/swagger-ui/index.html HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 206 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Last-Modified: Sun, 10 Nov 2024 06:01:00 GMT
< Accept-Ranges: bytes
< Content-Type: multipart/byteranges; boundary=otXfFPKpub_fUDgFquX0duZhDxUX0u4dEoyNU3
< Transfer-Encoding: chunked
< Date: Fri, 24 Jan 2025 14:58:54 GMT
< 

* Connection #0 to host localhost left intact
--otXfFPKpub_fUDgFquX0duZhDxUX0u4dEoyNU3--

Upon further debugging, I noticed inside org.springframework.web.seervlet.resource.ResourceHttpRequestHandler.handleRequest(), the response still gets the correct HTML resource from org.springframework:spring-webmvc but there is now a header called Range which causes the handleRequest() to return the multipart/byteranges.

I added a filter to check if my request contains swagger-ui then override the getHeader() and return null if header name is Range and everything starts working normal.

I need some help from the community to understand what went wrong as there is no other configuration or filter changes done in between the version upgrades. I want to get rid of this filter and have a simple solution.

To Reproduce
Steps to reproduce the behavior:

• What version of spring-boot you are using?: 3.3.3
• What modules and versions of springdoc-openapi are you using? springdoc-openapi-starter-common and springdoc-openapi-starter-webmvc-ui version 2.8.5
• What is the actual and the expected result using OpenAPI Description (yml or json)? any

Additional context
application.yml for the resource server:

server:
  port: 8091
  servlet:
    context-path: /resource/api

management:
  endpoints:
    web:
      base-path: /
      exposure:
        include: health,info
      path-mapping:
        health: /api/health
        info: /api/info
  endpoint:
    health:
      show-details: always
      enabled: true
    info:
      enabled: true
  security:
    enabled: true
  health:
    ping:
      enabled: true

spring:
  application:
    name: resource
  servlet:
    multipart:
      max-file-size: 500MB
      max-request-size: 600MB
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://localhost:8080/authorization/oauth2/jwks
          jwk-set-uri: http://localhost:8080/authorization/oauth2/jwks

springdoc:
  api-docs:
    enabled: true
    path: /v3/api-docs
    security:
      oauth2:
        enabled: true
    version: openapi_3_0
  swagger-ui:
    enabled: true
    path: /swagger-ui.html
    security:
      oauth2:
        enabled: true
  default-consumes-media-type: application/json
  default-produces-media-type: application/hal+json
  paths-to-exclude: /api/**
  show-actuator: true
  show-oauth2-endpoints: true

The resource server class:

@SpringBootApplication
@Import({Sw360CORSFilter.class, Sw360XssFilter.class})
public class Sw360ResourceServer extends SpringBootServletInitializer {
    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
        return builder
            .sources(Sw360ResourceServer.class)
            .properties(PropertyUtils.createDefaultProperties(APPLICATION_ID));
    }

    public static void main(String[] args) {
        new SpringApplicationBuilder(Sw360ResourceServer.class)
            .properties(PropertyUtils.createDefaultProperties(APPLICATION_ID))
            .build()
            .run(args);
    }
}

[GMishx]

Upon further investigation I found the issue with another filter designed for XSS filtering causing the headers to be manipulated.

Both the changes were merged at the same time causing me to assume issue with springdoc. Sorry for the noise!