The list of endpoints in 'shouldNotFilter' is incomplete and does not perfectly match the configuration in 'SecurityConfig'. For instance, it is missing paths like '/configuration/security', which are required for Swagger UI to function correctly. When a request for such a path is made, 'shouldNotFilter' returns 'false', causing your filter to run. Since the request to a Swagger endpoint does not contain an authentication token, your filter does nothing to the security context. However, the request is then processed by Spring Security's filter chain, which ultimately denies access because it's treated as an unauthenticated request to a protected resource, triggering your 'firebaseAuthenticationEntryPoint'.