How to disable spring-security login screen?
Solution 1
The default security in Spring Boot is Basic. You could disable it by setting security.basic.enabled=false
. More about this here and here.
Solution 2
you can use java based configuration like this :
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity security) throws Exception
{
security.httpBasic().disable();
}
}
and restart your application if it's refresh automatically.
Solution 3
Disable the default spring security by excluding it from the autoconfiguration. Add SecurityAutoConfiguration.class
to the exclude
property of the @SpringBootApplication
annotation on your main class. Like follows:
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}
Solution 4
There seems to be a simpler solution.
Simply put this annotationabove your main class or the same place as your SpingBootApplication
annotation
@EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})
Solution 5
To completely disable the login route use Spring Security configuration object
The following snippet uses org.springframework.boot:2.1.6.RELEASE
@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(security: HttpSecurity) {
super.configure(security)
security.httpBasic().disable()
security.cors().and().csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and().formLogin().disable() // <-- this will disable the login route
.addFilter(JWTAuthorizationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
}
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
val source = UrlBasedCorsConfigurationSource()
val config = CorsConfiguration().applyPermitDefaultValues()
config.addExposedHeader("Authorization")
source.registerCorsConfiguration("/**", config)
return source
}
}
membersound
JEE + Frameworks like Spring, Hibernate, JSF, GWT, Vaadin, SOAP, REST.
Updated on July 09, 2022Comments
-
membersound over 1 year
I'm using
spring-boot-starter-security
dependency, to make use of several classes that come withspring-security
. But as I want to integrate it in an existingvaadin
application, I only want to make use of the classes, and not of the default login/auth screen of spring.How can I disable this screen?
I cannot make any configurations by extending
WebSecurityConfigurerAdapter
as my main entry class alreadyextends SpringBootServletInitializer
. Also, vaadin applications basically run on the same URL path all the time and use internal navigation.@EnableAutoConfiguration public class MyApp extends SpringBootServletInitializer { @Override protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { return application.sources(MyApp.class); } public static void main(String[] args) { SpringApplication.run(MyApp.class, args); } }
So, what could I do to disable the login screen, but though make use of spring security features?
-
OrangeDog almost 8 yearsThis still causes / to redirect to /login, and /login to serve a login form
-
Krum over 5 yearsthis has been deprecated. noobdev now has the correct answer.
-
Amir Kost about 5 yearsDisabling Spring Security is a bad solution. Applications should be secure!
-
Michiel Haisma about 5 yearsOP requests only to have certain classes available on the classpath, not to enable spring security. Spring Boot will enable Spring security automatically when it finds the jars on the classpath. My solution will make sure that this does not happen.
-
Dosi Bingov over 4 yearsI like your solution. Thanks!
-
peekay over 4 yearsThis config does not change anything as far as I can tell. I thought that providing your own config took precedence over spring config?
-
Guillaume F. about 4 yearsYou can add
.formLogin().disable()
as well to remove the login screen -
wonsuc almost 4 yearsThis actually works on the current latest version of
Spring Boot 2.2.1.BUILD-SNAPSHOT
. -
Ashutosh Agrawal over 3 yearsWhen this JAVA syntax got changed?
-
user771 about 3 yearsOk if i use above solution, login page is gone. But still getting 403 from POST requests. Anyone know how to solve this ?
-
Amarnath Reddy Dornala over 2 yearsIt's Kotlin syntax.
-
Prashant S about 2 yearsAbove did work only for GET http calls. For POST review my comments below
-
Randy almost 2 yearsThis worked as of 'org.springframework.boot' version '2.3.4.RELEASE'