disabling spring security in spring boot app
Solution 1
Use security.ignored
property:
security.ignored=/**
security.basic.enable: false
will just disable some part of the security auto-configurations but your WebSecurityConfig
still will be registered.
There is a default security password generated at startup
Try to Autowired
the AuthenticationManagerBuilder
:
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }
Solution 2
Try this. Make a new class
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/").permitAll();
}
}
Basically this tells Spring to allow access to every url. @Configuration
tells spring it's a configuration class
Solution 3
security.ignored is deprecated since Spring Boot 2.
For me simply extend the Annotation of your Application class did the Trick:
@SpringBootApplication(exclude = SecurityAutoConfiguration.class)
Solution 4
I think you must also remove security auto config from your @SpringBootApplication
annotated class:
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})
Solution 5
With this solution you can fully enable/disable the security by activating a specific profile by command line. I defined the profile in a file application-nosecurity.yaml
spring:
autoconfigure:
exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
Then I modified my custom WebSecurityConfigurerAdapter
by adding the @Profile("!nosecurity")
as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Profile("!nosecurity")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}
To fully disable the security it's enough to start the application up by specifying the nosecurity profile, i.e.:
java -jar target/myApp.jar --spring.profiles.active=nosecurity
jayjaypg22
Updated on November 04, 2020Comments
-
jayjaypg22 over 3 years
I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).
I add this to the
application.properties
:security.basic.enable: false management.security.enabled: false
Here is some part of my
But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.
My pom.xml :
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>fr.test.sample</groupId> <artifactId>navigo</artifactId> <version>1.0.0-SNAPSHOT</version> <!-- Inherit defaults from Spring Boot --> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.3.1.RELEASE</version> </parent> <properties> <java.version>1.7</java.version> <jsoup.version>1.8.3</jsoup.version> <guava.version>18.0</guava.version> <postgresql.version>9.3-1103-jdbc41</postgresql.version> </properties> <!-- Add typical dependencies for a web application --> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-mail</artifactId> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> </dependency> <dependency> <groupId>org.apache.velocity</groupId> <artifactId>velocity</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>${jsoup.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> </dependency> </dependencies> <!-- Package as an executable jar --> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> <!-- Add Spring repositories --> <!-- (you don't need this if you are using a .RELEASE version) --> <repositories> <repository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> <snapshots> <enabled>true</enabled> </snapshots> </repository> <repository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> </pluginRepository> <pluginRepository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </pluginRepository> </pluginRepositories> </project>
The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :
//@Configuration //@EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true) //@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsService userDetailsService; @Autowired UserService userService; @Autowired private DataSource datasource; @Override protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests().antMatchers("/bus/topologie", "/home") // http.authorizeRequests().anyRequest().authenticated() // .antMatchers("/admin/**").access("hasRole('ADMIN')").and() // .formLogin().failureUrl("/login?error") // .defaultSuccessUrl("/bus/topologie").loginPage("/login") // .permitAll().and().logout() // .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) // .logoutSuccessUrl("/login").permitAll().and().rememberMe() // .rememberMeParameter("remember-me") // .tokenRepository(persistentTokenRepository()) // .tokenValiditySeconds(86400).and().csrf(); } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl(); tokenRepositoryImpl.setDataSource(datasource); return tokenRepositoryImpl; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { PasswordEncoder encoder = new BCryptPasswordEncoder(); auth.userDetailsService(userDetailsService).passwordEncoder(encoder); auth.jdbcAuthentication().dataSource(datasource); if (!userService.userExists("user")) { User userAdmin = new User("user", encoder.encode("password"), true); Set<Authorities> authorities = new HashSet<Authorities>(); authorities.add(new Authorities(userAdmin,"ADMIN")); authorities.add(new Authorities(userAdmin,"CRIP")); authorities.add(new Authorities(userAdmin,"USER")); userAdmin.setAuthorities(authorities); userService.createUser(userAdmin); } } }
-
Al Grant about 7 yearsI got it to go by adding both exclude statement for the autoconfigure.security and .permitAll() on the antMatchers.
-
Al Grant about 7 yearsis security.ignored=/** to go in the securityconfig class or application.properties ?
-
Dexter about 7 years\@EnableWebSecurity is needed in the \@EnableWebSecurity protected static class SecurityConfiguration
-
Mark almost 7 yearsYou can also annotate a class like this with something like
@Profile("nosecure")
so that you can specify the profile "nosecure" until you want it turned on. -
Dexter about 6 yearsNot other solutions but this worked for me on SB v 2.0.0RELEASE. security.ignored=/** was also no required. Just this class was suffiecient
-
Mahesh about 6 yearsNice answer. Just to add, security.ignored=/** doesn't turn off CSRF, which still has to disabled
-
Sumit Ramteke over 5 yearsit won't work for Spring Boot 2 as disabling from
application.properties
is deprecated. Try stackoverflow.com/a/47292134/2443988 -
Enrico Giurin about 5 yearsI did something similar, but now I was wondering which are the benefits of this solution compared to just having: http.authorizeRequests().antMatchers("/**").permitAll();
-
Rebai Ahmed over 4 yearswe need the (disable/enable° configuration programmatically done
-
java-addict301 over 4 years@AhmedRebai did the solution not work for you? It worked no problem for me.
-
Joker over 3 yearsAn alternative for spring boot 2, se my answer: stackoverflow.com/a/53670356/2970422
-
Caio over 3 yearsFor me this way worked, thank you.
-
IonicMan over 3 yearssetting that exclude line in the application yml did the job for me. Thank you!
-
Ashraf Sarhan over 3 yearsIf you wanted to work with security.basic.enabled: false, see my answer here stackoverflow.com/a/65939294/3888628
-
TheRealChx101 over 2 years
http.authorizeRequests
rather. -
jumping_monkey over 2 yearsIt's manual, but why not.