Disable Basic Authentication while using Spring Security Java configuration
Solution 1
First of all, calling super.configure(http);
will override whole your configuration you have before that.
Try this instead:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic().disable();
Solution 2
In case you use Spring Boot, the documentation states:
To switch off the Boot default configuration completely in a web application you can add a bean with @EnableWebSecurity
So if you want to fully customize itself that might be an option.
Just to make it clear... You just need to put @EnableWebSecurity annotation on your main application class or application configuration class.
Solution 3
You can disable the formLogin through the HttpSecurity instance as follow:
http.authorizeRequests().antMatchers("/public/**").permitAll()
.antMatchers("/api/**").hasRole("USER")
.anyRequest().authenticated()
.and().formLogin().disable();
This will lead receiving 403 Http error when trying to access any secured resource
Solution 4
Anonymous option worked for me. My code like
http.csrf().disable().headers().frameOptions().sameOrigin().and().
authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
Solution 5
Suitable for Spring Boot or folks using OAuth
@Profile("test")
@EnableWebSecurity
static class BasicWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
}
}
If you are using @EnableOAuth2Client or @EnableResourceServer, then in test profile switch to basic auth and then disable the same. In Spring Boot,to switch off the spring security default configuration completely in a web application you need to add a bean with @EnableWebSecurity
Related videos on Youtube
Kumar Sambhav
Software developer using Java, Spring(Boot, MVC, Security, Integration, Batch, Reactive), Kotlin, Kafka, RabbitMQ, Zookeeper, MongoDB, PostgreSQL, AWS (EC2, ECS, ELB, Fargate etc.) AngularJS 1.x, Angular 8, Twitter Bootstrap, Angular Material.
Updated on July 09, 2022Comments
-
Kumar Sambhav almost 2 years
I am trying to secure a web application using Spring Security java configuration.
This is how the configuration looks:-
@Configuration @EnableWebMvcSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private String googleClientSecret; @Autowired private CustomUserService customUserService; /* * (non-Javadoc) * * @see org.springframework.security.config.annotation.web.configuration. * WebSecurityConfigurerAdapter * #configure(org.springframework.security.config * .annotation.web.builders.HttpSecurity) */ @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .and() .httpBasic().disable() .requiresChannel().anyRequest().requiresSecure(); // @formatter:on super.configure(http); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .eraseCredentials(true) .userDetailsService(customUserService); // @formatter:on super.configure(auth); } }
Notice that I have explicitly disabled HTTP Basic authentication using:-
.httpBasic().disable()
I am still getting HTTP Authenticaton prompt box while accessing a secured url. Why?
Please help me fix this. I just want to render the default login form that comes bundled.
Spring Boot Starter Version : 1.1.5 Spring Security Version : 3.2.5
Thanks
-
M. Deinum over 9 yearsadd
security.basic.enabled=false
to yourapplication.properties
. Also you shouldn't be callingsuper.configure
from your overridden method. -
Kumar Sambhav over 9 years@M.Deinum That fixed it. But why it wasn't disabled when I explicitly disabled in java config?
-
M. Deinum over 9 yearsYou can have multiple
WebSecurityConfigurer
each contributing configuration to the overall configuration. It very well could be that you have a rest part of your website that is protected by basic auth and the normal site with a form. You could create 2WebSecurityConfigurer
one for rest and one for form. You also might want to checkout docs.spring.io/spring-boot/docs/current/reference/html/… (Spring Boot reference, security section). -
Patrick Cornelissen about 6 years@M.Deinum you don't need to call the original implementation in the *Configurer classes, they just implement all methods of the interface with an empty body, so you can just override what you want to use.
-
Ali Abbas over 2 yearsI'm facing similar issue,
security.basic.enabled=false
is no longer available. Any other solution. @M.Deinum
-
-
ticktock over 9 yearssmall correction.. should be .httpBasic().disable().
-
Ivan about 9 yearsThis didn't work for me (I put @EnableWebSecurity on my main Spring Boot class and extended WebSecurityConfigurerAdapter). What it actually means to 'add a bean with @EnableWebSecurity'?
-
jkerak over 7 yearsThis will not disable basic security, it will simply ignore the security checking for all requests.
-
Gel over 5 yearsI apologize, but Im new to java, we are using jhipster with angular front and java back-end. Where do I insert this code? Is this in gateway? or micorservice? what file should be looking for? Thanks -
-
jzheaux over 5 years@GelSisaed that might be a separate question altogether. Generally, it depends on where you are doing your auth, but with jhipster, doing auth in the gateway is pretty typical, so that is where I would start. It also wouldn't be a bad idea to post your own question (with a jhipster tag) like "How do I disable HTTP Basic in JHipster?"
-
Gewure about 2 yearsis this still a valid solution @marcel-overdijk ?