Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable

Question

I am working on Spring Cloud project using the spring-boot-starter-parent version 2.0.1.RELEASE.

I am getting below warning, look like

Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable. Provide your own WebSecurityConfigurer bean instead.

security: basic: enabled: false is disabled in spring security latest version.

Could you please guide me what should I used instead ?

application.yml

---
server:
  port: 8888

security:
  basic:
    enabled: false

spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls

          search-paths:
          - 'station*'
          repos:
            perf:
              pattern:
                - '*/perf'
              uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls-perf
              search-paths:
               - 'station*'

pom.xml

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.1.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
        <spring-cloud.version>Finchley.BUILD-SNAPSHOT</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-server</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

    <repositories>
        <repository>
            <id>spring-snapshots</id>
            <name>Spring Snapshots</name>
            <url>https://repo.spring.io/snapshot</url>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
        <repository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>https://repo.spring.io/milestone</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>

Here is the my test class.

@RunWith(SpringRunner.class)
@SpringBootTest
public class PluralsightSpringcloudM2ConfigserverGitApplicationTests {

    @Test
    public void contextLoads() {
    }

}

and

Its nothing to do with the other question

sn42 · Accepted Answer · 2018-10-08T20:40:03.787

Spring Boot 2.0 changed its auto configuration (including some properties) and has now a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter. The default configuration looks like

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .and()
        .httpBasic();
}

A single user with a generated password is configured by default. To customize this user use the properties under spring.security.user.

spring.security.user.name=user # Default user name.
spring.security.user.password= # Password for the default user name.
spring.security.user.roles= # Granted roles for the default user name.

The following properties have been removed as of Spring Boot 2:

security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions

Replacements (if existing) can be found here: Appendix A. Common application properties

To be clear: If you create a custom WebSecurityConfigurerAdapter the default security configuration will be replaced with your custom configuration:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // For example: Use only Http Basic and not form login.
        http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }
}

For more information visit the Spring 2.0 Migration Guide.

security.basic.enabled is also deprecated. What is the correct replacement ? — Jeff Cook, Apr 08 '18 at 12:31
@SayaliShinde This depends what you want to achieve. If you just want to disable HTTP Basic (and have no auth at all), remove the dependency to `spring-boot-starter-security`. If you want to configure another auth (e.g. form login or openid) [HttpSecurity](https://docs.spring.io/spring-security/site/docs/5.0.4.RELEASE/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html) provides methods to configure your desired security. — sn42, Apr 08 '18 at 13:02
@sn42 Your answer, by itself, is very informative and helpful I appreciate it. A very good answer, indeed=) But not for this question. We simply move security properties under spring. By the way, I didn't downvote. I just wanted to point to the simplest solution. — ozgur, Oct 09 '18 at 18:54

sapy · Answer 2 · 2019-06-20T19:49:09.903

This is because when you write security.basic.enabled = false you basically tell the application that I don't care about security and allow all the request what so ever. After spring boot 2.0 , you cant just write that 1 configuration to make the app insecure. You need to write some code to do that . Or you can just copy the following.

package com.LockheedMartin.F22Simulator;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }
}

By the way you should remove security.basic.enabled = false from your application.properties , as spring 2.*.* doesn't understand that property anymore and If you have proper Intellij setup , You should see a warning saying 'unsupported property'.

package com.LockheedMartin.F22Simulator; OMG, what a nice code. — Ryane Luo, Jun 26 '19 at 07:13
Your solution didn't fix it entirely for me: it solved the unwanted 401 in my integration tests, but I got a 403 instead. I was able to solve it with this answer: https://stackoverflow.com/a/49261864/3149048 — Stephanie, Feb 14 '20 at 09:05

score 5 · Answer 3 · answered Apr 08 '18 at 15:30

If you are using Spring reactive Security we need to do something like this,

@Bean
  public SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange().anyExchange().permitAll();
    return http.build();
  }

There is another stackoverflow post on this as well, Spring boot 2.0 disable default security

guido · Answer 4 · 2018-04-08T12:32:05.280

2

I would try the following on your test class:

@SpringBootTest(properties="spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration")

The would disable the autoconfiguration of spring-security in the context of your test class.

EDIT: if it is not limited to test classes context, the same could be applied to:

@SpringBootApplication(exclude="org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration")

or otherwise, in your application.yaml, you can do :

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

edited Apr 08 '18 at 12:32

answered Apr 08 '18 at 12:27

guido

18,864
6
70
95

Because they say "deprecated", but the property actually stopped working in 2.0. If it is not only for the test class, but in general, one way would be providing your own `WebSecurityConfigurerAdapter` as suggested by sn42, or see my updated answer – guido Apr 08 '18 at 12:31
Look like package has change in Spring Boot 2.2.2.RELEASE, `spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.SecurityAutoConfiguration;` still its not working – PAA Jan 04 '20 at 15:56
This way `spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration` and having spring-security dependency does give Unauthorized – PAA Apr 19 '20 at 19:35

score 2 · Answer 5 · answered Apr 08 '18 at 12:43

This way I was able to solve this issue. Not sure though. I just corrected application.yml

---
server:
  port: 8888


spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls

          search-paths:
          - 'station*'
          repos:
            perf:
              pattern:
                - '*/perf'
              uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls-perf
              search-paths:
               - 'station*'
  security:
    user:
      name: test
      password: test

When I access the url: http://localhost:8888/s1rates/default, its asked me for the username and password and I get the below result.

Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable

5 Answers5

Linked