Spring Boot 2.0.X Disable Security for Certain Profile

Spring Boot 2.0.x disable security for certain profile

You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:

28.1 MVC Security

The default security configuration is implemented in SecurityAutoConfiguration and UserDetailsServiceAutoConfiguration. SecurityAutoConfiguration imports SpringBootWebSecurityConfiguration for web security and UserDetailsServiceAutoConfiguration configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of type WebSecurityConfigurerAdapter (doing so does not disable the UserDetailsService configuration or Actuator’s security).

For example:

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
               .antMatchers("/**");
    }
}

To use the configuration only for a profile add @Profile to the class. If you want to enable it by property, add ConditionalOnProperty to the class.

Spring Boot 2.2.4 - disable security

I found a working solution in the spring boot github issues.

Disable security for the entire application:

@SpringBootApplication ( exclude = {SecurityAutoConfiguration.class} )
@Import(MySecurityConfiguration.class)
public class MyApplication{
 }

... and enable via parameter in the security configuration:

@Configuration
@ConditionalOnProperty (  "my.security.enabled" )
@Import ( SecurityAutoConfiguration.class 
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

}

Source: https://github.com/spring-projects/spring-boot/issues/12323#issuecomment-370519882

Spring Boot 2.0 disable default security

According to the new updates in Spring 2.0, if Spring Security is on the classpath, Spring Boot will add @EnableWebSecurity.So adding entries to the application.properties ain't gonna work (i.e it is no longer customizable that way). For more information visit the official website Security changes in Spring Boot 2.0

Albeit not sure about your requirement exactly, I could think of one workaround like the following:-

@Configuration
@EnableWebSecurity
public class SecurityConfiguration  extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception{
        http.authorizeRequests().antMatchers("/").permitAll();
    }
}

Hope this helps.

How to disable security in Spring-Boot 2?

Here is configuration class. here permit for all url:

@Configuration
@ConditionalOnProperty(value = "app.security.basic.enabled", havingValue = "false")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/**").permitAll()
            .anyRequest().authenticated();
}
}

Spring Boot: Disable security for Spring Boot Unit Test

Using both @SpringBootTest with a random port and @AutoConfiguration might be an issue.
Can you try:

@RunWith(SpringRunner.class)
@WebMvcTest(App.class)
@AutoConfigureMockMvc(secure = false)
public class ExampleTest{}

or

@RunWith(SpringRunner.class)
@SpringBootTest
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class, ManagementSecurityAutoConfiguration.class })
public class ExampleTest{}

You can event add a custom profile(integration_test) and make:

security:
      basic:
        enabled: false

@RunWith(SpringRunner.class)
@SpringBootTest
@ActiveProfiles(value="integration_test")
public class ExampleTest{}

Update: Just found similar answer already in another SO question : Disable security for unit tests with spring boot

How to disable the spring security login page though there is spring security dependency?

I usually add extra configuration, for allow access:

@Configuration
public class SecurityDisableConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.cors().disable()
            .csrf().disable()
            .httpBasic().disable()
            .authorizeRequests().antMatchers("/**").permitAll();
    }
}

disabling spring security in spring boot app

Use security.ignored property:

security.ignored=/**

security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered.

There is a default security password generated at startup

Try to Autowired the AuthenticationManagerBuilder:

@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }

Related Topics

Java 8: Difference Between Method Reference Bound Receiver and Unbound Receiver

Highlighting Strings in Javafx Textarea

Bytebuffer.Allocate() VS. Bytebuffer.Allocatedirect()

How to Convert Ascii Code (0-255) to Its Corresponding Character

Tomcat Request Timeout

Printing Runtime Exec() Outputstream to Console

What Is the Significance of Load Factor in Hashmap

How to Split String with Some Separator But Without Removing That Separator in Java

How to Extract Cn from X509Certificate in Java

Why Does My Sorting Loop Seem to Append an Element Where It Shouldn'T

Best Way to Encode Text Data for Xml in Java

Migration from Struts 1 to Struts 2

Naming Threads and Thread-Pools of Executorservice

Is Httpsession Thread Safe, Are Set/Get Attribute Thread Safe Operations

Why Are the Rsa-Sha256 Signatures I Generate with Openssl and Java Different

Java 1.6: Creating an Array of List<T>

Why There Is No Concurrenthashset Against Concurrenthashmap

Leiningen - How to Add Dependencies for Local Jars


Leave a reply



Submit