disabling spring security in spring boot app [duplicate]

Question

I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).

I add this to the application.properties:

security.basic.enable: false management.security.enabled: false

Here is some part of my

But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.

My pom.xml :

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>fr.test.sample</groupId> <artifactId>navigo</artifactId> <version>1.0.0-SNAPSHOT</version> <!-- Inherit defaults from Spring Boot --> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.3.1.RELEASE</version> </parent> <properties> <java.version>1.7</java.version> <jsoup.version>1.8.3</jsoup.version> <guava.version>18.0</guava.version> <postgresql.version>9.3-1103-jdbc41</postgresql.version> </properties> <!-- Add typical dependencies for a web application --> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-mail</artifactId> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> </dependency> <dependency> <groupId>org.apache.velocity</groupId> <artifactId>velocity</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>${jsoup.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> </dependency> </dependencies> <!-- Package as an executable jar --> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> <!-- Add Spring repositories --> <!-- (you don't need this if you are using a .RELEASE version) --> <repositories> <repository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> <snapshots> <enabled>true</enabled> </snapshots> </repository> <repository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> </pluginRepository> <pluginRepository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </pluginRepository> </pluginRepositories> </project>

The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :

//@Configuration //@EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true) //@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsService userDetailsService; @Autowired UserService userService; @Autowired private DataSource datasource; @Override protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests().antMatchers("/bus/topologie", "/home") // http.authorizeRequests().anyRequest().authenticated() // .antMatchers("/admin/**").access("hasRole('ADMIN')").and() // .formLogin().failureUrl("/login?error") // .defaultSuccessUrl("/bus/topologie").loginPage("/login") // .permitAll().and().logout() // .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) // .logoutSuccessUrl("/login").permitAll().and().rememberMe() // .rememberMeParameter("remember-me") // .tokenRepository(persistentTokenRepository()) // .tokenValiditySeconds(86400).and().csrf(); } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl(); tokenRepositoryImpl.setDataSource(datasource); return tokenRepositoryImpl; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { PasswordEncoder encoder = new BCryptPasswordEncoder(); auth.userDetailsService(userDetailsService).passwordEncoder(encoder); auth.jdbcAuthentication().dataSource(datasource); if (!userService.userExists("user")) { User userAdmin = new User("user", encoder.encode("password"), true); Set<Authorities> authorities = new HashSet<Authorities>(); authorities.add(new Authorities(userAdmin,"ADMIN")); authorities.add(new Authorities(userAdmin,"CRIP")); authorities.add(new Authorities(userAdmin,"USER")); userAdmin.setAuthorities(authorities); userService.createUser(userAdmin); } } }

Does this answer your question? Spring boot Security Disable security — Dupinder Singh
– Dupinder Singh, Commented Nov 3, 2020 at 12:45

Ali Dehghani · Accepted Answer · 2016-03-29 09:37:55Z

78

Use security.ignored property:

security.ignored=/**

security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered.

There is a default security password generated at startup

Try to Autowired the AuthenticationManagerBuilder:

@Override @Autowired protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }

edited Mar 29, 2016 at 9:37

answered Mar 29, 2016 at 9:31

Ali Dehghani

48.4k16 gold badges171 silver badges153 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

Al Grant Over a year ago

is security.ignored=/** to go in the securityconfig class or application.properties ?

Mahesh Over a year ago

Nice answer. Just to add, security.ignored=/** doesn't turn off CSRF, which still has to disabled

Sumit Ramteke Over a year ago

it won't work for Spring Boot 2 as disabling from application.properties is deprecated. Try stackoverflow.com/a/47292134/2443988

Joker Over a year ago

An alternative for spring boot 2, se my answer: stackoverflow.com/a/53670356/2970422

Ashraf Sarhan Over a year ago

If you wanted to work with security.basic.enabled: false, see my answer here stackoverflow.com/a/65939294/3888628

bmarkham · Accepted Answer · 2016-03-29 09:29:47Z

54

Try this. Make a new class

@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests().antMatchers("/").permitAll(); } }

Basically this tells Spring to allow access to every url. @Configuration tells spring it's a configuration class

answered Mar 29, 2016 at 9:29

bmarkham

1,70016 silver badges28 bronze badges

5 Comments

Al Grant Over a year ago

I got it to go by adding both exclude statement for the autoconfigure.security and .permitAll() on the antMatchers.

Stellar Sword Over a year ago

\@EnableWebSecurity is needed in the \@EnableWebSecurity protected static class SecurityConfiguration

Mark Over a year ago

You can also annotate a class like this with something like @Profile("nosecure") so that you can specify the profile "nosecure" until you want it turned on.

Dexter Over a year ago

Not other solutions but this worked for me on SB v 2.0.0RELEASE. security.ignored=/** was also no required. Just this class was suffiecient

Marius Jaraminas Over a year ago

WebSecurityConfigurerAdapter - is deprecated.

Joker · Accepted Answer · 2018-12-07 13:16:15Z

security.ignored is deprecated since Spring Boot 2.

For me simply extend the Annotation of your Application class did the Trick:

@SpringBootApplication(exclude = SecurityAutoConfiguration.class)

Enrico Giurin · Accepted Answer · 2018-10-26 15:22:10Z

With this solution you can fully enable/disable the security by activating a specific profile by command line. I defined the profile in a file application-nosecurity.yaml

spring: autoconfigure: exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

Then I modified my custom WebSecurityConfigurerAdapter by adding the @Profile("!nosecurity") as follows:

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) @Profile("!nosecurity") public class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}

To fully disable the security it's enough to start the application up by specifying the nosecurity profile, i.e.:

java -jar target/myApp.jar --spring.profiles.active=nosecurity

setting that exclude line in the application yml did the job for me. Thank you!

nukie · Accepted Answer · 2016-03-29 09:28:07Z

I think you must also remove security auto config from your @SpringBootApplication annotated class:

@EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})

Cmyker · Accepted Answer · 2018-12-10 17:01:43Z

Since security.disable option is banned from usage there is still a way to achieve it from pure config without touching any class flies (for me it creates convenience with environments manipulation and possibility to activate it with ENV variable) if you use Boot

spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

Saikat · Accepted Answer · 2020-08-22 19:39:23Z

For me only excluding the following classes worked:

import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; @SpringBootApplication(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}) { // ... }

Anis KCHAOU · Accepted Answer · 2020-04-05 16:50:06Z

6

just add

@SpringBootApplication(exclude = SecurityAutoConfiguration.class)

answered Apr 5, 2020 at 16:50

Anis KCHAOU

1,1141 gold badge13 silver badges11 bronze badges

1 Comment

Jhoan River Over a year ago

where need to add?

Maoz Zadok · Accepted Answer · 2018-07-16 14:22:50Z

This was the only thing that worked for me, I added the following annotation to my Application class and exclude SecurityAutoConfiguration

import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; @EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class })

I did something similar, but now I was wondering which are the benefits of this solution compared to just having: http.authorizeRequests().antMatchers("/**").permitAll();

Exadra37 · Accepted Answer · 2022-03-10 19:47:10Z

5

Change WebSecurityConfig.java: comment out everything in the configure method and add

http.authorizeRequests().antMatchers("/**").permitAll();

This will allow any request to hit every URL without any authentication.

edited Mar 10, 2022 at 19:47

Exadra37

13.3k3 gold badges50 silver badges65 bronze badges

answered Oct 14, 2020 at 14:41

Shubham Patel

811 silver badge1 bronze badge

2 Comments

TheRealChx101 Over a year ago

http.authorizeRequests rather.

jumping_monkey Over a year ago

It's manual, but why not.

Mehdi Bouzidi · Accepted Answer · 2018-11-20 23:01:17Z

You could just comment the maven dependency for a while:

<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-mongodb</artifactId> </dependency> <!-- <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>--> </dependencies>

It worked fine for me

Disabling it from application.properties is deprecated for Spring Boot 2.0

rene · Accepted Answer · 2017-12-08 19:38:43Z

Use @profile("whatever-name-profile-to-activate-if-needed") on your security configuration class that extends WebSecurityConfigurerAdapter

security.ignored=/** security.basic.enable: false

NB. I need to debug to know why why exclude auto configuration did not work for me. But the profile is sot so bad as you can still re-activate it via configuration properties if needed

user2979124 · Accepted Answer · 2018-10-05 07:12:28Z

Just add the following line to disable spring auto configuration in application.properties file

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

it works on spring 2.0.5 :)

java-addict301 · Accepted Answer · 2019-02-15 14:08:27Z

The accepted answer didn't work for me.

If you have a multi configuration, adding the following to your WebSecurityConfig class worked for me (ensure that your Order(1) is lower than all of your other Order annotations in the class):

/* UNCOMMENT TO DISABLE SPRING SECURITY */ /*@Configuration @Order(1) public static class DisableSecurityConfigurationAdapater extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests().anyRequest().permitAll(); } }*/

we need the (disable/enable° configuration programmatically done
@AhmedRebai did the solution not work for you? It worked no problem for me.

Collectives™ on Stack Overflow

disabling spring security in spring boot app [duplicate]

14 Answers 14

5 Comments

5 Comments

Comments

1 Comment

Comments

Comments

1 Comment

1 Comment

1 Comment

2 Comments

Comments

Comments

Comments

2 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

14 Answers 14

5 Comments

5 Comments

Comments

1 Comment

Comments

Comments

1 Comment

1 Comment

1 Comment

2 Comments

Comments

Comments

Comments

2 Comments

Linked

Related