Spring Boot 2.0.x disable security for certain profile
You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:
28.1 MVC Security
The default security configuration is implemented in
SecurityAutoConfiguration
andUserDetailsServiceAutoConfiguration
.SecurityAutoConfiguration
importsSpringBootWebSecurityConfiguration
for web security andUserDetailsServiceAutoConfiguration
configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of typeWebSecurityConfigurerAdapter
(doing so does not disable theUserDetailsService
configuration or Actuator’s security).
For example:
@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
}
To use the configuration only for a profile add @Profile
to the class. If you want to enable it by property, add ConditionalOnProperty
to the class.
Spring Boot 2.2.4 - disable security
I found a working solution in the spring boot github issues.
Disable security for the entire application:
@SpringBootApplication ( exclude = {SecurityAutoConfiguration.class} )
@Import(MySecurityConfiguration.class)
public class MyApplication{
}
... and enable via parameter in the security configuration:
@Configuration
@ConditionalOnProperty ( "my.security.enabled" )
@Import ( SecurityAutoConfiguration.class
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
}
Source: https://github.com/spring-projects/spring-boot/issues/12323#issuecomment-370519882
Spring Boot 2.0 disable default security
According to the new updates in Spring 2.0, if Spring Security is on the classpath, Spring Boot will add @EnableWebSecurity.So adding entries to the application.properties ain't gonna work (i.e it is no longer customizable that way). For more information visit the official website Security changes in Spring Boot 2.0
Albeit not sure about your requirement exactly, I could think of one workaround like the following:-
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests().antMatchers("/").permitAll();
}
}
Hope this helps.
How to disable security in Spring-Boot 2?
Here is configuration class. here permit for all url:
@Configuration
@ConditionalOnProperty(value = "app.security.basic.enabled", havingValue = "false")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
}
}
Spring Boot: Disable security for Spring Boot Unit Test
Using both @SpringBootTest
with a random port and @AutoConfiguration
might be an issue.
Can you try:
@RunWith(SpringRunner.class)
@WebMvcTest(App.class)
@AutoConfigureMockMvc(secure = false)
public class ExampleTest{}
or
@RunWith(SpringRunner.class)
@SpringBootTest
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class, ManagementSecurityAutoConfiguration.class })
public class ExampleTest{}
You can event add a custom profile(integration_test) and make:
security:
basic:
enabled: false
@RunWith(SpringRunner.class)
@SpringBootTest
@ActiveProfiles(value="integration_test")
public class ExampleTest{}
Update: Just found similar answer already in another SO question : Disable security for unit tests with spring boot
How to disable the spring security login page though there is spring security dependency?
I usually add extra configuration, for allow access:
@Configuration
public class SecurityDisableConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.cors().disable()
.csrf().disable()
.httpBasic().disable()
.authorizeRequests().antMatchers("/**").permitAll();
}
}
disabling spring security in spring boot app
Use security.ignored
property:
security.ignored=/**
security.basic.enable: false
will just disable some part of the security auto-configurations but your WebSecurityConfig
still will be registered.
There is a default security password generated at startup
Try to Autowired
the AuthenticationManagerBuilder
:
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }
Related Topics
Java 8: Difference Between Method Reference Bound Receiver and Unbound Receiver
Highlighting Strings in Javafx Textarea
Bytebuffer.Allocate() VS. Bytebuffer.Allocatedirect()
How to Convert Ascii Code (0-255) to Its Corresponding Character
Printing Runtime Exec() Outputstream to Console
What Is the Significance of Load Factor in Hashmap
How to Split String with Some Separator But Without Removing That Separator in Java
How to Extract Cn from X509Certificate in Java
Why Does My Sorting Loop Seem to Append an Element Where It Shouldn'T
Best Way to Encode Text Data for Xml in Java
Migration from Struts 1 to Struts 2
Naming Threads and Thread-Pools of Executorservice
Is Httpsession Thread Safe, Are Set/Get Attribute Thread Safe Operations
Why Are the Rsa-Sha256 Signatures I Generate with Openssl and Java Different
Java 1.6: Creating an Array of List<T>