How to disable spring-security login screen?

86,725

Solution 1

The default security in Spring Boot is Basic. You could disable it by setting security.basic.enabled=false. More about this here and here.

Solution 2

you can use java based configuration like this :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity security) throws Exception
    {
     security.httpBasic().disable();
    }
}

and restart your application if it's refresh automatically.

Solution 3

Disable the default spring security by excluding it from the autoconfiguration. Add SecurityAutoConfiguration.class to the exclude property of the @SpringBootApplication annotation on your main class. Like follows:

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

Solution 4

There seems to be a simpler solution.

Simply put this annotationabove your main class or the same place as your SpingBootApplication annotation

@EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})

Solution 5

To completely disable the login route use Spring Security configuration object

The following snippet uses org.springframework.boot:2.1.6.RELEASE

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
  override fun configure(security: HttpSecurity) {
    super.configure(security)

    security.httpBasic().disable()

    security.cors().and().csrf().disable().authorizeRequests()
      .anyRequest().authenticated()
      .and().formLogin().disable() // <-- this will disable the login route
      .addFilter(JWTAuthorizationFilter(authenticationManager()))
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  }

  @Bean
  fun corsConfigurationSource(): CorsConfigurationSource {
    val source = UrlBasedCorsConfigurationSource()
    val config = CorsConfiguration().applyPermitDefaultValues()
    config.addExposedHeader("Authorization")
    source.registerCorsConfiguration("/**", config)
    return source
  }
}
Share:
86,725
membersound
Author by

membersound

JEE + Frameworks like Spring, Hibernate, JSF, GWT, Vaadin, SOAP, REST.

Updated on July 09, 2022

Comments

  • membersound
    membersound over 1 year

    I'm using spring-boot-starter-security dependency, to make use of several classes that come with spring-security. But as I want to integrate it in an existing vaadin application, I only want to make use of the classes, and not of the default login/auth screen of spring.

    How can I disable this screen?

    I cannot make any configurations by extending WebSecurityConfigurerAdapter as my main entry class already extends SpringBootServletInitializer. Also, vaadin applications basically run on the same URL path all the time and use internal navigation.

    @EnableAutoConfiguration
    public class MyApp extends SpringBootServletInitializer { 
    
            @Override
            protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
                return application.sources(MyApp.class);
            }
    
            public static void main(String[] args) {
                SpringApplication.run(MyApp.class, args);
            }
    }
    

    So, what could I do to disable the login screen, but though make use of spring security features?

  • OrangeDog
    OrangeDog almost 8 years
    This still causes / to redirect to /login, and /login to serve a login form
  • Krum
    Krum over 5 years
    this has been deprecated. noobdev now has the correct answer.
  • Amir Kost
    Amir Kost about 5 years
    Disabling Spring Security is a bad solution. Applications should be secure!
  • Michiel Haisma
    Michiel Haisma about 5 years
    OP requests only to have certain classes available on the classpath, not to enable spring security. Spring Boot will enable Spring security automatically when it finds the jars on the classpath. My solution will make sure that this does not happen.
  • Dosi Bingov
    Dosi Bingov over 4 years
    I like your solution. Thanks!
  • peekay
    peekay over 4 years
    This config does not change anything as far as I can tell. I thought that providing your own config took precedence over spring config?
  • Guillaume F.
    Guillaume F. about 4 years
    You can add .formLogin().disable() as well to remove the login screen
  • wonsuc
    wonsuc almost 4 years
    This actually works on the current latest version of Spring Boot 2.2.1.BUILD-SNAPSHOT.
  • Ashutosh Agrawal
    Ashutosh Agrawal over 3 years
    When this JAVA syntax got changed?
  • user771
    user771 about 3 years
    Ok if i use above solution, login page is gone. But still getting 403 from POST requests. Anyone know how to solve this ?
  • Amarnath Reddy Dornala
    Amarnath Reddy Dornala over 2 years
    It's Kotlin syntax.
  • Prashant S
    Prashant S about 2 years
    Above did work only for GET http calls. For POST review my comments below
  • Randy
    Randy almost 2 years
    This worked as of 'org.springframework.boot' version '2.3.4.RELEASE'