Spring boot Security Disable security

Question

When I use security.basic.enabled=false to disable security on a Spring Boot project that has the following dependencies:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>com.oracle</groupId>
        <artifactId>ojdbc6</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

I see the following Exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration$ManagementWebSecurityConfigurerAdapter': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.setObjectPostProcessor(org.springframework.security.config.annotation.ObjectPostProcessor); nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.config.annotation.ObjectPostProcessor] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}

In order to fix this exception I had to add the property - management.security.enabled=false . My understanding is that when the actuator is in the classpath, both security.basic.enabled=false and management.security.enabled=false should be set to disable the security.

Could someone please let me know if my understanding is wrong?

Why do you need security on your classpath if you just want to disable everything? Anyway, your stack trace is incomplete so there is no way to know what was preventing the app from starting. I would expect it would start, but the actuator endpoints should stay secure until you explicitly open them up. — Dave Syer, May 27 '14 at 17:41
@DaveSyer I would like to disable security temporarily and also my application code refers security jars to work. — Stackee007, Feb 19 '15 at 21:36
You still haven't posted enough information to see why the app isn't starting. A full stack trace would be a start. — Dave Syer, Feb 20 '15 at 08:41
@DaveSyer One reason would be a microservice managing spring-sec-oauth2 `ClientDetails`. You'll have a transitive import of spring-security but maybe don't want basic auth in your service. — Dirk Lachowski, Oct 23 '15 at 15:52

Varesh · Answer 1 · 2021-02-20T01:05:21.727

117

In case you have spring-boot-actuator in your package, you should add the following

@EnableAutoConfiguration(exclude = {
        org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
        org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class})

With older Spring-boot, the class was called ManagementSecurityAutoConfiguration.

In newer versions this has changed to

@SpringBootApplication(exclude = {
        org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,
        org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class}
        )

UPDATE

If for reactive application you are having the same issue, you can exclude the following classes

@SpringBootApplication(exclude = {ReactiveSecurityAutoConfiguration.class, ReactiveManagementWebSecurityAutoConfiguration.class })

edited Feb 20 '21 at 01:05

answered Dec 09 '14 at 22:07

Varesh

1,648
2
14
22

1

Two more auto configurations that need to be excluded as well: SecurityFilterAutoConfiguration.class, SecurityRequestMatcherProviderAutoConfiguration.class – Eugene Maysyuk May 06 '21 at 14:10
Thanks for the new version one. I have lost an hour until I found your answer :) – Turkdogan Tasdelen Jul 28 '21 at 14:08
What does excluding ManagementWebSecurityAutoConfiguration do? Excluding SecurityAutoConfiguration seems to have removed login prompts from my app, which is all I wanted. I'm using Spring Boot 3. – Michael Rivera May 24 '23 at 23:14
It is to not autoconfigure the login page. Spring works with wise default.... so if you do not configure anything, it just picks up the default setup it assumes that you would need. This is just to say do nothing and then you are free to configure what you want. – Varesh Aug 07 '23 at 15:43

score 86 · Answer 2 · answered Dec 08 '15 at 07:48

86

What also seems to work fine is creating a file application-dev.properties that contains:

security.basic.enabled=false
management.security.enabled=false

If you then start your Spring Boot app with the dev profile, you don't need to log on.

answered Dec 08 '15 at 07:48

Wim Deblauwe

25,113
20
133
211

1

security.basic.enabled=false is not needed if you disable security with management.security.enabled=false – hennr Jul 03 '17 at 10:22
I also added `security.ignored=/**` then worked. https://stackoverflow.com/a/36280413/3291867 – mojtab23 Nov 25 '17 at 13:48
23

This is now deprecated! – Eagle_Eye Oct 28 '18 at 08:56
7

Indeed. See https://spring.io/blog/2017/09/15/security-changes-in-spring-boot-2-0-m4 for more info on the deprecation that happened in Spring Boot 2 – Wim Deblauwe Oct 31 '18 at 07:31

karans123 · Answer 3 · 2019-10-09T08:10:38.530

59

For Spring Boot 2 following properties are deprecated in application.yml configuration

  security.basic.enabled: false
  management.security.enabled: false

To disable security for Sprint Boot 2 Basic + Actuator Security following properties can be used in application.yml file instead of annotation based exclusion (@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}))

  spring:
    autoconfigure:
      exclude[0]: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
      exclude[1]: org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration

For application.properties syntax would be like

spring.autoconfigure.exclude[0]=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

edited Oct 09 '19 at 08:10

answered Oct 09 '19 at 07:52

karans123

796
6
8

Thanks! I temporarily applied this with an environment variable to a springboot 2+ app in a docker container using: `SPRING_APPLICATION_JSON='{"spring":{"autoconfigure":{"exclude[0]":"org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration","exclude[1]":"org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration"}}}'` – dlamblin Mar 23 '21 at 08:34
Two more auto configurations that need to be excluded as well: SecurityFilterAutoConfiguration.class, SecurityRequestMatcherProviderAutoConfiguration.class – Eugene Maysyuk May 06 '21 at 14:11
@dlamblin I tried your snippet but I got: `java.lang.IllegalArgumentException: Cannot parse JSON` Any ideas why? – Metafaniel Mar 02 '22 at 05:05
Still getting authorization error? What could be the reason? – Pranali Rasal May 09 '22 at 05:45

gyoder · Answer 4 · 2015-07-31T17:28:19.567

43

If you need security as a dependency but don't want Spring Boot to configure it for you, you can use this exclusion:

    @EnableAutoConfiguration(exclude = { 
        org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class 
    })

edited Jul 31 '15 at 17:28

answered Aug 05 '14 at 12:33

gyoder

4,530
5
29
37

Two more auto configurations that need to be excluded as well: SecurityFilterAutoConfiguration.class, SecurityRequestMatcherProviderAutoConfiguration.class – Eugene Maysyuk May 06 '21 at 14:10

score 28 · Answer 5 · answered Apr 04 '18 at 11:03

28

For the spring boot 2 users it has to be

@EnableAutoConfiguration(exclude = {
    org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class
})

answered Apr 04 '18 at 11:03

gkatzioura

2,655
2
26
39

1

What happened to ManagementWebSecurityAutoConfiguration in spring boot 2.0 – VIJ Jul 18 '18 at 09:02
You might still have to comment your `@EnableWebSecurity` annotation – Victor Petit Apr 15 '20 at 08:20
1

Two more auto configurations that need to be excluded as well: SecurityFilterAutoConfiguration.class, SecurityRequestMatcherProviderAutoConfiguration.class – Eugene Maysyuk May 06 '21 at 14:11
@EugeneMaysyuk "SecurityRequestMatcherProviderAutoConfiguration" <- I am not finding this! – SGuru May 20 '22 at 13:15
@SGuru let me take a look – Eugene Maysyuk May 21 '22 at 15:27
@SGuru What Spring Boot version are you using? It is possible that those classes have different names. It depends on Spring Boot version. – Eugene Maysyuk May 21 '22 at 15:30

score 13 · Answer 6 · answered Sep 17 '17 at 09:34

13

Step 1: Comment annotation @EnableWebSecurity in your security config

//@EnableWebSecurity

Step 2: Add this to your application.properties file.

security.ignored=/**
spring.security.enabled=false
management.security.enabled=false
security.basic.enabled=false

For more details look here: http://codelocation.com/how-to-turn-on-and-off-spring-security-in-spring-boot-application/

answered Sep 17 '17 at 09:34

VK321

5,768
3
44
47

1

Sadly, this doesn't work. Once I start spring-boot, it will create the default security filter chain: 2020-11-29 18:48:58.095 INFO 30744 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7c9e4dd, org.springframework.security.web.context.SecurityContextPersistenceFilter@1d14d528, org.springframework.security.web.header.HeaderWriterFilter@3fc159ad, org.springframework.security.web.csrf.CsrfFilter@71b72226, org.springframework.security.... – Ville Miekk-oja Nov 29 '20 at 16:49
This worked for me I'm using Spring Boot 1.7.4. I didn't need to comment `@EnableWebSecurity`. – wonsuc Jan 11 '21 at 08:33

score 11 · Answer 7 · answered Mar 23 '19 at 06:49

Add following class into your code

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author vaquar khan
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
    }

}

And insie of application.properties add

security.ignored=/**
security.basic.enabled=false
management.security.enabled=false

score 8 · Answer 8 · answered Apr 09 '20 at 11:52

8

Answer is to allow all requests in WebSecurityConfigurerAdapter as below.

you can do this in existing class or in new class.

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }

Please note : If ther is existing GlobalMethodSecurityConfiguration class, you must disable it.

answered Apr 09 '20 at 11:52

U_R_Naveen UR_Naveen

720
7
8

Not worked. But this one worked for me https://stackoverflow.com/questions/23894010/spring-boot-security-disable-security#answer-58858524 – Ravi MCA Sep 17 '20 at 11:54
Hi ravi, as per your solution, it is not recommended to disable csrf in production as "http.csrf.disable()". did you get CSRF issue for POST,etc calls? – U_R_Naveen UR_Naveen Sep 19 '20 at 11:41
@U_R_NaveenUR_Naveen I wrote the same code snippet but it didn't work. The login page still appears when I run the spring boot app. How can I fix it? – S.N Feb 10 '21 at 23:29

score 6 · Answer 9 · answered Feb 10 '20 at 14:48

If you are using @WebMvcTest annotation in your test class

@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class })
@TestPropertySource(properties = {"spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration"})

doesn't help you.

You can disable security here

@WebMvcTest(secure = false)

score 5 · Answer 10 · answered Dec 06 '19 at 12:31

5

The easiest way for Spring Boot 2 without dependencies or code changes is just:

spring:
  autoconfigure:
    exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

answered Dec 06 '19 at 12:31

Przemek Nowak

7,173
3
53
57

2

This is not working with Spring Boot v2.2.2.RELEASE – PAA Feb 17 '20 at 19:08
would be helpful if you say where to put this code... – JesseBoyd Jul 26 '22 at 15:38
1

This works in springboot version 2.7.5. Thanks – Dark Star1 Nov 24 '22 at 10:44

score 4 · Answer 11 · answered Jan 01 '18 at 16:10

4

Permit access to everything using antMatchers("/")

     protected void configure(HttpSecurity http) throws Exception {
            System.out.println("configure");
                    http.csrf().disable();
                    http.authorizeRequests().antMatchers("/").permitAll();
        }

answered Jan 01 '18 at 16:10

Sarat Chandra

5,636
34
30

Problem with this is, access and security are not the same thing. You might be able to permit access to everything, but that does not set security off. For example, malicious looking strings still are catched. – Ville Miekk-oja Nov 29 '20 at 16:51

score 4 · Answer 12 · answered Nov 14 '19 at 14:00

The only thing that worked for me:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll();
    }

and

security.ignored=/**

Could be that the properties part is redundant or can be done in code, but had no time to experiment. Anyway is temporary.

score 3 · Answer 13 · answered May 16 '18 at 09:45

3

I simply added security.ignored=/**in the application.properties,and that did the charm.

answered May 16 '18 at 09:45

codereal

150
1
11

so that means automatic security mechanism is still in place but is just ignoring the all paths. I wouldn't be comfortable in keeping the things that are not required – Paramvir Singh Karwal Jan 24 '19 at 18:26

score 2 · Answer 14 · answered May 29 '23 at 14:31

With Spring Boot 3, the configuration syntax has changed. The following did the trick for me -

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

    @Configuration
    public class SecurityConfig {
    
        @Bean
        SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
            http.authorizeHttpRequests().anyRequest().permitAll();
            return http.build();
        }
    }

Ref- Spring Boot 3 + Security - Disable Authentication

score 1 · Answer 15 · edited Jun 01 '16 at 21:35

1

In order to avoid security you can use annotations. Use this annotation on top of configure class:

@EnableWebSecurity

For example:

@EnableWebSecurity
@Configuration
public class AuthFilter{
   // configured method 
}

edited Jun 01 '16 at 21:35

Laurel

5,965
14
31
57

answered Jun 01 '16 at 09:37

Ramesh Babu

130
1
2
7

21

Why should `@EnableWebSecurity` disable Web Security? – lilalinux Sep 11 '18 at 22:42
At least, it disables the default security configuration in Spring Boot – amseager Dec 03 '20 at 10:37

score 1 · Answer 16 · answered Jul 16 '18 at 19:05

1

You need to add this entry to application.properties to bypass Springboot Default Security

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

Then there won't be any authentication box. otrws, credentials are:- user and 99b962fa-1848-4201-ae67-580bdeae87e9 (password randomly generated)

Note: my springBootVersion = '1.5.14.RELEASE'

answered Jul 16 '18 at 19:05

Titus

67
1
1
7

without this,security.basic.enabled=false management.security.enabled=false security.ignored=/** is not enough is it normal? – Bilgehan Mar 24 '20 at 08:50

score 1 · Answer 17 · answered Aug 08 '18 at 04:41

1

You can configure to toggle spring security in your project by following below 2 steps:

STEP 1: Add a @ConditionalOnProperty annotation on top of your SecurityConfig class. Refer below:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity (prePostEnabled = true)
@ConditionalOnProperty (name = "myproject.security.enabled", havingValue = "true", matchIfMissing = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
   // your security config
}

STEP 2: Add following config to your application.properties or application.yml file.

application.properties

security.ignored=/**
myproject.security.enabled=false

OR

application.yml

security:
  ignored: /**

myproject:
  security:
    enabled: false

answered Aug 08 '18 at 04:41

Sahil Chhabra

10,621
4
63
62

Is it possible to use only one property? – wakedeer Nov 16 '20 at 14:59
@wakedeer your comment seems cryptic, could you please elaborate? – Sahil Chhabra Nov 16 '20 at 15:04
I mean that security.ignored=/** is not necessary – wakedeer Nov 20 '20 at 17:04

score 1 · Answer 18 · answered Sep 21 '19 at 16:20

As previously multiple solutions mentioned to disable security through commenting of

@EnableWebSecurity

annotation and other is through properties in application.properties or yml. But those properties are showing as deprecated in latest spring boot version.

So, I would like to share another approach to configure default username and password in your application-dev.properties or application-dev.yml and use them to login into swagger and etc in development environment.

spring.security.user.name=admin
spring.security.user.password=admin

So, this approach will also provides you some kind of security as well and you can share this information with your development team. You can also configure user roles as well, but its not required in development level.

score 1 · Answer 19 · answered Dec 15 '22 at 12:47

Latest spring 2.7.x, create two class, set DISABLE_KEYCLOAK_AUDIT_PROPERTY = 'your key' in application profile for enable/disable security:

    public static final String DISABLE_KEYCLOAK_AUDIT_PROPERTY = "enable_security";
    @EnableAutoConfiguration(exclude =
            {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,
                    org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class
            })
    @Configuration
    @ConditionalOnProperty(name = DISABLE_KEYCLOAK_AUDIT_PROPERTY, havingValue = "true")
    static
    class DisableSecurityConfig {
    }

    @Configuration
    @ConditionalOnProperty(name = DISABLE_KEYCLOAK_AUDIT_PROPERTY, havingValue = "false")
    @Import({KeycloakSecurityConfig.class, KeycloakConfig.class})
    static
    class EnableSecurityConfig {
    }

for example use in application.yml:

enable_security: true

score 1 · Answer 20 · answered Feb 28 '23 at 21:19

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                // disable CSRF, http basic, form login
                .csrf().disable() 
                .httpBasic().disable() 
                .formLogin().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
                .and().exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint());
        return http.build();
    }
}

score 0 · Answer 21 · answered Aug 31 '17 at 13:01

Add the below lines to your main app.

Remove org.activiti.spring.boot.SecurityAutoConfiguration.class if you're not using activiti.

Similarly, remove the one for actuator if you're not using spring-boot-actuator.

@EnableAutoConfiguration(exclude = {
org.activiti.spring.boot.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class,
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class })

Loc Truong · Answer 22 · 2021-06-09T04:00:24.147

0

With Gradle and Spring boot v2.4.4, you can exclude spring security completely by adding this config in your build.gradle

configurations.all {
    exclude group:"org.springframework.boot", module: "spring-boot-starter-security"
}

edited Jun 09 '21 at 04:00

answered Jun 09 '21 at 03:53

Loc Truong

359
5
22

cela · Answer 23 · 2022-08-30T16:00:39.680

As of Spring Boot 2.7.3 using @EnableAutoConfiguration(exclude = {}) generated an error, suggesting the exclude property be used in the @SpringBootApplication annotation.

Here is what worked for me when disabling Spring Security completely.

@SpringBootApplication(
        exclude = {
                SecurityAutoConfiguration.class,
                ManagementWebSecurityAutoConfiguration.class
        })
public class GeoServiceApplication {

    public static void main(String[] args) {
        SpringApplication.run(GeoServiceApplication.class, args);
    }

}

I tried excluding only SecurityAutoConfiguration.class, but I got an error for no HttpSecurity bean defined for ManagementWebSecurityAutoConfiguration.class.

SJX · Answer 24 · 2022-10-14T08:38:36.220

0

With Spring 2.6.0 this helped in my case:

@EnableAutoConfiguration(exclude = {
        org.springframework.boot.autoconfigure.security.SecurityDataConfiguration.class
})

And additional I had to remove the dependency in the pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

edited Oct 14 '22 at 08:38

answered Oct 14 '22 at 06:24

SJX

1,071
14
15

score 0 · Answer 25 · answered Nov 29 '22 at 00:01

In Spring Security 5.7.0-M2 WebSecurityConfigurerAdapter was deprecated. Spring Security team encourages users to move towards a component-based security configuration.

package com.may.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").permitAll(); // config to permit all requests
        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager() { // to delete default username and password that is printed in the log every time, you can provide here any auth manager (InMemoryAuthenticationManager, etc) as you need
        return authentication -> {
            throw new UnsupportedOperationException();
        };
    }
}

More examples here:

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

score 0 · Answer 26 · answered Jul 16 '23 at 02:32

For a reactive webflux springboot application (in my case it is not a controller application, but a scheduler application) with out any http requests, none of the application.properties examples or exclude annotations worked. The only way worked for me is by adding a filter class.

I am using springboot 2.6.5, and have the below artifacts mainly besides some kafka and db related artifacts

pom.xml

<artifactId>spring-boot-starter-webflux</artifactId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<artifactId>spring-boot-starter-actuator</artifactId>
<artifactId>spring-boot-starter-security</artifactId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>

application.proeprties:

I did not add spring.main.web-application-type=reactive

Filter class:

NOTE: I did not even added @EnableWebFluxSecurity OR @EnableReactiveMethodSecurity, but it is still works.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
public class ActuatorSecurityFilter {

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        return http.authorizeExchange().pathMatchers("/actuator/**").permitAll().and().build();
    }
}

score -3 · Answer 27 · answered Nov 21 '18 at 09:03

-3

I added below settings in application.yml and worked fine.

security:
    route-patterns-to-be-skipped:
      - /**/*

this can be converted as security.route-paterns-to-be-skipped=/**/* for application.properties

answered Nov 21 '18 at 09:03

Prasath Rajan

63
7

1

This property doesn't exist at all. – Drakes Oct 15 '19 at 21:31

Spring boot Security Disable security

27 Answers27

for example use in application.yml:

Linked

Related