How to disable spring-security login screen?

86,725

Solution 1

The default security in Spring Boot is Basic. You could disable it by setting security.basic.enabled=false. More about this here and here.

Solution 2

you can use java based configuration like this :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity security) throws Exception
    {
     security.httpBasic().disable();
    }
}

and restart your application if it's refresh automatically.

Solution 3

Disable the default spring security by excluding it from the autoconfiguration. Add SecurityAutoConfiguration.class to the exclude property of the @SpringBootApplication annotation on your main class. Like follows:

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

Solution 4

There seems to be a simpler solution.

Simply put this annotationabove your main class or the same place as your SpingBootApplication annotation

@EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})

Solution 5

To completely disable the login route use Spring Security configuration object

The following snippet uses org.springframework.boot:2.1.6.RELEASE

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
  override fun configure(security: HttpSecurity) {
    super.configure(security)
    security.httpBasic().disable()
    security.cors().and().csrf().disable().authorizeRequests()
      .anyRequest().authenticated()
      .and().formLogin().disable() // <-- this will disable the login route
      .addFilter(JWTAuthorizationFilter(authenticationManager()))
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  }
  @Bean
  fun corsConfigurationSource(): CorsConfigurationSource {
    val source = UrlBasedCorsConfigurationSource()
    val config = CorsConfiguration().applyPermitDefaultValues()
    config.addExposedHeader("Authorization")
    source.registerCorsConfiguration("/**", config)
    return source
  }
}
Share:
86,725
membersound
Author by

membersound

JEE + Frameworks like Spring, Hibernate, JSF, GWT, Vaadin, SOAP, REST.

Updated on July 09, 2022

Comments

  • membersound
    membersound 6 months

    I'm using spring-boot-starter-security dependency, to make use of several classes that come with spring-security. But as I want to integrate it in an existing vaadin application, I only want to make use of the classes, and not of the default login/auth screen of spring.

    How can I disable this screen?

    I cannot make any configurations by extending WebSecurityConfigurerAdapter as my main entry class already extends SpringBootServletInitializer. Also, vaadin applications basically run on the same URL path all the time and use internal navigation.

    @EnableAutoConfiguration
    public class MyApp extends SpringBootServletInitializer { 
            @Override
            protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
                return application.sources(MyApp.class);
            }
            public static void main(String[] args) {
                SpringApplication.run(MyApp.class, args);
            }
    }
    

    So, what could I do to disable the login screen, but though make use of spring security features?

  • OrangeDog
    OrangeDog almost 7 years
    This still causes / to redirect to /login, and /login to serve a login form
  • Krum
    Krum over 4 years
    this has been deprecated. noobdev now has the correct answer.
  • Amir Kost about 4 years
    Disabling Spring Security is a bad solution. Applications should be secure!
  • Michiel Haisma about 4 years
    OP requests only to have certain classes available on the classpath, not to enable spring security. Spring Boot will enable Spring security automatically when it finds the jars on the classpath. My solution will make sure that this does not happen.
  • Dosi Bingov almost 4 years
    I like your solution. Thanks!
  • peekay over 3 years
    This config does not change anything as far as I can tell. I thought that providing your own config took precedence over spring config?
  • Guillaume F.
    Guillaume F. about 3 years
    You can add .formLogin().disable() as well to remove the login screen
  • wonsuc
    wonsuc about 3 years
    This actually works on the current latest version of Spring Boot 2.2.1.BUILD-SNAPSHOT.
  • Ashutosh Agrawal over 2 years
    When this JAVA syntax got changed?
  • user771 over 2 years
    Ok if i use above solution, login page is gone. But still getting 403 from POST requests. Anyone know how to solve this ?
  • Amarnath Reddy Dornala almost 2 years
    It's Kotlin syntax.
  • Prashant S about 1 year
    Above did work only for GET http calls. For POST review my comments below
  • Randy
    Randy about 1 year
    This worked as of 'org.springframework.boot' version '2.3.4.RELEASE'