How to disable spring-security login screen?

java spring spring-security vaadin spring-boot

86,725

Solution 1

The default security in Spring Boot is Basic. You could disable it by setting security.basic.enabled=false. More about this here and here.

Solution 2

you can use java based configuration like this :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity security) throws Exception
    {
     security.httpBasic().disable();
    }
}

and restart your application if it's refresh automatically.

Solution 3

Disable the default spring security by excluding it from the autoconfiguration. Add SecurityAutoConfiguration.class to the exclude property of the @SpringBootApplication annotation on your main class. Like follows:

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

Solution 4

There seems to be a simpler solution.

Simply put this annotationabove your main class or the same place as your SpingBootApplication annotation

@EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})

Solution 5

To completely disable the login route use Spring Security configuration object

The following snippet uses org.springframework.boot:2.1.6.RELEASE

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
  override fun configure(security: HttpSecurity) {
    super.configure(security)
    security.httpBasic().disable()
    security.cors().and().csrf().disable().authorizeRequests()
      .anyRequest().authenticated()
      .and().formLogin().disable() // <-- this will disable the login route
      .addFilter(JWTAuthorizationFilter(authenticationManager()))
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  }
  @Bean
  fun corsConfigurationSource(): CorsConfigurationSource {
    val source = UrlBasedCorsConfigurationSource()
    val config = CorsConfiguration().applyPermitDefaultValues()
    config.addExposedHeader("Authorization")
    source.registerCorsConfiguration("/**", config)
    return source
  }
}

View more solutions

86,725

Author by

membersound

JEE + Frameworks like Spring, Hibernate, JSF, GWT, Vaadin, SOAP, REST.

Updated on July 09, 2022

Comments

membersound 6 months
I'm using spring-boot-starter-security dependency, to make use of several classes that come with spring-security. But as I want to integrate it in an existing vaadin application, I only want to make use of the classes, and not of the default login/auth screen of spring.

How can I disable this screen?

I cannot make any configurations by extending WebSecurityConfigurerAdapter as my main entry class already extends SpringBootServletInitializer. Also, vaadin applications basically run on the same URL path all the time and use internal navigation.
```
@EnableAutoConfiguration
public class MyApp extends SpringBootServletInitializer { 
        @Override
        protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
            return application.sources(MyApp.class);
        }
        public static void main(String[] args) {
            SpringApplication.run(MyApp.class, args);
        }
}
```
So, what could I do to disable the login screen, but though make use of spring security features?
OrangeDog almost 7 years

This still causes / to redirect to /login, and /login to serve a login form
Krum over 4 years

this has been deprecated. noobdev now has the correct answer.
Amir Kost about 4 years

Disabling Spring Security is a bad solution. Applications should be secure!
Michiel Haisma about 4 years

OP requests only to have certain classes available on the classpath, not to enable spring security. Spring Boot will enable Spring security automatically when it finds the jars on the classpath. My solution will make sure that this does not happen.
Dosi Bingov almost 4 years

I like your solution. Thanks!
peekay over 3 years

This config does not change anything as far as I can tell. I thought that providing your own config took precedence over spring config?
Guillaume F. about 3 years

You can add .formLogin().disable() as well to remove the login screen
wonsuc about 3 years

This actually works on the current latest version of Spring Boot 2.2.1.BUILD-SNAPSHOT.
Ashutosh Agrawal over 2 years

When this JAVA syntax got changed?
user771 over 2 years

Ok if i use above solution, login page is gone. But still getting 403 from POST requests. Anyone know how to solve this ?
Amarnath Reddy Dornala almost 2 years

It's Kotlin syntax.
Prashant S about 1 year

Above did work only for GET http calls. For POST review my comments below
Randy about 1 year

This worked as of 'org.springframework.boot' version '2.3.4.RELEASE'