Spring Security form login only offers application/json req body type

[adrianbob]

Describe the bug
I'm using Spring Security's default form login to secure a REST Controller endpoint. And the login endpoint is exposed in swagger-ui. Still, the problem is that the only available request body type is application/json. This sends the credentials as json in the request body, resulting in null username/password in UsernamePasswordAuthenticationFilter. So form login does not work.

I can't find a way to configure the request body type to application/x-www-form-urlencoded, so that form login works.

To Reproduce
I'm using SpringBoot 2.7.5 and Spring Security 5.7.4. Other project dependencies:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-ui</artifactId>
        <version>1.6.12</version>
    </dependency>
    <dependency>
        <groupId>org.springdoc</groupId>
        <artifactId>springdoc-openapi-security</artifactId>
        <version>1.6.12</version>
    </dependency>
</dependencies>

Supplying property: springdoc.show-login-endpoint=true

Spring security simple config:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers("/foos/**")
                .authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth, PasswordEncoder passwordEncoder) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user")
                .password(passwordEncoder.encode("password"))
                .roles("USER");
    }
}

A simple controller:

@RestController
@RequestMapping("foos")
public class FooController {

    @GetMapping(value = "/{id}")
    public Foo findById(@PathVariable("id") final Long id) {
        return new Foo(randomAlphabetic(6));
    }

    @GetMapping
    public List<Foo> findAll() {
        return Lists.newArrayList(new Foo(randomAlphabetic(6)));
    }

    @PostMapping
    @ResponseStatus(HttpStatus.CREATED)
    public Foo create(@RequestBody final Foo foo) {
        return foo;
    }
}

Expected behavior
I would have expected that form-login authentication configuration would be detected and the exposed Spring Security's detected login endpoint to be exposed with the option for x-www-form-urlencoded body type to be available.

Screenshots
https://imgur.com/a/STuVkVZ

Additional context
I have created this issue with sample code, as the previous issue was closed without a clear solution to it: #1714

[adrianbob]

I have also tried adding other properties that I thought might help like:

springdoc.default-consumes-media-type=application/x-www-form-urlencoded
springdoc.consumes-to-match=application/x-www-form-urlencoded
springdoc.default-support-form-data=true

Even so, the login endpoint is the only one listed in the swagger-ui (which is good - since it detects it consuming application/x-www-form-urlencoded media type), and the Rest endpoints which are consuming application/json are filtered out (which is also correct). But still the only available request body type for login is application/json which is wrong. This appears to be a bug.

I have also created this repo with the sample code: https://github.com/adrianbob/springdoc-form-login

[bnasslahsen]

@adrianbob,

Thanks for the report.
The will be available with the next release.