I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).
I add this to the application.properties:
security.basic.enable: false
management.security.enabled: false Here is some part of my
But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.
My pom.xml :
<project xmlns="" xmlns:xsi="" xsi:schemaLocation=" "> <modelVersion>4.0.0</modelVersion> <groupId>fr.test.sample</groupId> <artifactId>navigo</artifactId> <version>1.0.0-SNAPSHOT</version> <!-- Inherit defaults from Spring Boot --> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.3.1.RELEASE</version> </parent> <properties> <java.version>1.7</java.version> <jsoup.version>1.8.3</jsoup.version> <guava.version>18.0</guava.version> <postgresql.version>9.3-1103-jdbc41</postgresql.version> </properties> <!-- Add typical dependencies for a web application --> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-mail</artifactId> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> </dependency> <dependency> <groupId>org.apache.velocity</groupId> <artifactId>velocity</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>${jsoup.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> </dependency> </dependencies> <!-- Package as an executable jar --> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> <!-- Add Spring repositories --> <!-- (you don't need this if you are using a .RELEASE version) --> <repositories> <repository> <id>spring-snapshots</id> <url> <snapshots> <enabled>true</enabled> </snapshots> </repository> <repository> <id>spring-milestones</id> <url> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>spring-snapshots</id> <url> </pluginRepository> <pluginRepository> <id>spring-milestones</id> <url> </pluginRepository> </pluginRepositories>
</project>The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :
//@Configuration
//@EnableWebSecurity
//@EnableGlobalMethodSecurity(prePostEnabled = true)
//@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsService userDetailsService; @Autowired UserService userService; @Autowired private DataSource datasource; @Override protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests().antMatchers("/bus/topologie", "/home") // http.authorizeRequests().anyRequest().authenticated() // .antMatchers("/admin/**").access("hasRole('ADMIN')").and() // .formLogin().failureUrl("/login?error") // .defaultSuccessUrl("/bus/topologie").loginPage("/login") // .permitAll().and().logout() // .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) // .logoutSuccessUrl("/login").permitAll().and().rememberMe() // .rememberMeParameter("remember-me") // .tokenRepository(persistentTokenRepository()) // .tokenValiditySeconds(86400).and().csrf(); } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl(); tokenRepositoryImpl.setDataSource(datasource); return tokenRepositoryImpl; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { PasswordEncoder encoder = new BCryptPasswordEncoder(); auth.userDetailsService(userDetailsService).passwordEncoder(encoder); auth.jdbcAuthentication().dataSource(datasource); if (!userService.userExists("user")) { User userAdmin = new User("user", encoder.encode("password"), true); Set<Authorities> authorities = new HashSet<Authorities>(); authorities.add(new Authorities(userAdmin,"ADMIN")); authorities.add(new Authorities(userAdmin,"CRIP")); authorities.add(new Authorities(userAdmin,"USER")); userAdmin.setAuthorities(authorities); userService.createUser(userAdmin); } }
} 2 14 Answers
Use security.ignored property:
security.ignored=/**security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered.
There is a default security password generated at startup
Try to Autowired the AuthenticationManagerBuilder:
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... } 5 Try this. Make a new class
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests().antMatchers("/").permitAll();
}
}Basically this tells Spring to allow access to every url. @Configuration tells spring it's a configuration class
security.ignored is deprecated since Spring Boot 2.
For me simply extend the Annotation of your Application class did the Trick:
@SpringBootApplication(exclude = SecurityAutoConfiguration.class) 1 I think you must also remove security auto config from your @SpringBootApplication annotated class:
@EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class}) With this solution you can fully enable/disable the security by activating a specific profile by command line. I defined the profile in a file application-nosecurity.yaml
spring: autoconfigure: exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfigurationThen I modified my custom WebSecurityConfigurerAdapter by adding the @Profile("!nosecurity") as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Profile("!nosecurity")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}To fully disable the security it's enough to start the application up by specifying the nosecurity profile, i.e.:
java -jar target/myApp.jar --spring.profiles.active=nosecurity 1 Since security.disable option is banned from usage there is still a way to achieve it from pure config without touching any class flies (for me it creates convenience with environments manipulation and possibility to activate it with ENV variable) if you use Boot
spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration This was the only thing that worked for me, I added the following annotation to my Application class and exclude SecurityAutoConfiguration
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class
}) 1 For me only excluding the following classes worked:
import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}) { // ...
} You could just comment the maven dependency for a while:
<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-mongodb</artifactId> </dependency>
<!-- <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>-->
</dependencies>It worked fine for me
Disabling it from
application.propertiesis deprecated for Spring Boot 2.0
just add
@SpringBootApplication(exclude = SecurityAutoConfiguration.class)
Use @profile("whatever-name-profile-to-activate-if-needed") on your security configuration class that extends WebSecurityConfigurerAdapter
security.ignored=/**
security.basic.enable: falseNB. I need to debug to know why why exclude auto configuration did not work for me. But the profile is sot so bad as you can still re-activate it via configuration properties if needed
Change WebSecurityConfig.java: comment out everything in the configure method and add
http.authorizeRequests().antMatchers("/**").permitAll();This will allow any request to hit every URL without any authentication.
2Just add the following line to disable spring auto configuration in application.properties file
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
it works on spring 2.0.5 :)
The accepted answer didn't work for me.
If you have a multi configuration, adding the following to your WebSecurityConfig class worked for me (ensure that your Order(1) is lower than all of your other Order annotations in the class):
/* UNCOMMENT TO DISABLE SPRING SECURITY */ /*@Configuration @Order(1) public static class DisableSecurityConfigurationAdapater extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests().anyRequest().permitAll(); } }*/ 2