Disable Basic Authentication while using Spring Security Java configuration

Question

I am trying to secure a web application using Spring Security java configuration.

This is how the configuration looks:-

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private String googleClientSecret;

    @Autowired
    private CustomUserService customUserService;

    /*
     * (non-Javadoc)
     * 
     * @see org.springframework.security.config.annotation.web.configuration.
     * WebSecurityConfigurerAdapter
     * #configure(org.springframework.security.config
     * .annotation.web.builders.HttpSecurity)
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .and()
                .httpBasic().disable()
            .requiresChannel().anyRequest().requiresSecure();
        // @formatter:on
        super.configure(http);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        // @formatter:off
        auth
            .eraseCredentials(true)
            .userDetailsService(customUserService);
        // @formatter:on
        super.configure(auth);
    }
}

Notice that I have explicitly disabled HTTP Basic authentication using:-

.httpBasic().disable()

I am still getting HTTP Authenticaton prompt box while accessing a secured url. Why?

Please help me fix this. I just want to render the default login form that comes bundled.

Spring Boot Starter Version : 1.1.5 Spring Security Version : 3.2.5

Thanks

add `security.basic.enabled=false` to your `application.properties`. Also you shouldn't be calling `super.configure` from your overridden method. — M. Deinum, Sep 03 '14 at 17:31
@M.Deinum That fixed it. But why it wasn't disabled when I explicitly disabled in java config? — Kumar Sambhav, Sep 03 '14 at 17:33
You can have multiple `WebSecurityConfigurer` each contributing configuration to the overall configuration. It very well could be that you have a rest part of your website that is protected by basic auth and the normal site with a form. You could create 2 `WebSecurityConfigurer` one for rest and one for form. You also might want to checkout http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html (Spring Boot reference, security section). — M. Deinum, Sep 03 '14 at 18:26
@M.Deinum you don't need to call the original implementation in the *Configurer classes, they just implement all methods of the interface with an empty body, so you can just override what you want to use. — Patrick Cornelissen, Mar 23 '18 at 10:31
I'm facing similar issue, `security.basic.enabled=false` is no longer available. Any other solution. @M.Deinum — Ali Abbas, Oct 01 '21 at 12:31

score 22 · Answer 1 · edited Nov 28 '18 at 22:07

22

First of all, calling super.configure(http); will override whole your configuration you have before that.

Try this instead:

http
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .and()
    .httpBasic().disable();

edited Nov 28 '18 at 22:07

jzheaux

7,042
3
22
36

answered Sep 09 '14 at 08:51

kazuar

1,094
1
12
14

1

small correction.. should be .httpBasic().disable(). – ticktock Dec 12 '14 at 23:28
I apologize, but Im new to java, we are using jhipster with angular front and java back-end. Where do I insert this code? Is this in gateway? or micorservice? what file should be looking for? Thanks - – Gel Oct 31 '18 at 01:42
1

@GelSisaed that might be a separate question altogether. Generally, it depends on where you are doing your auth, but with jhipster, doing auth in the gateway is pretty typical, so that is where I would start. It also wouldn't be a bad idea to post your own question (with a jhipster tag) like "How do I disable HTTP Basic in JHipster?" – jzheaux Nov 28 '18 at 22:11

score 8 · Answer 2 · edited May 29 '17 at 07:53

8

In case you use Spring Boot, the documentation states:

To switch off the Boot default configuration completely in a web application you can add a bean with @EnableWebSecurity

So if you want to fully customize itself that might be an option.

Just to make it clear... You just need to put @EnableWebSecurity annotation on your main application class or application configuration class.

edited May 29 '17 at 07:53

Muhd

24,305
22
61
78

answered Sep 04 '14 at 20:47

Marcel Overdijk

11,041
17
71
110

3

This didn't work for me (I put @EnableWebSecurity on my main Spring Boot class and extended WebSecurityConfigurerAdapter). What it actually means to 'add a bean with @EnableWebSecurity'? – Ivan Mar 31 '15 at 16:47
is this still a valid solution @marcel-overdijk ? – Gewure Mar 26 '22 at 18:51

score 4 · Answer 3 · answered Jul 01 '17 at 21:40

You can disable the formLogin through the HttpSecurity instance as follow:

http.authorizeRequests().antMatchers("/public/**").permitAll()
        .antMatchers("/api/**").hasRole("USER")
        .anyRequest().authenticated() 
        .and().formLogin().disable();

This will lead receiving 403 Http error when trying to access any secured resource

score 3 · Answer 4 · edited Apr 09 '19 at 07:39

3

Anonymous option worked for me. My code like

  http.csrf().disable().headers().frameOptions().sameOrigin().and().
   authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();

edited Apr 09 '19 at 07:39

Avijit Barua

2,950
5
14
35

answered Nov 28 '18 at 15:16

vara

31
1

score 2 · Answer 5 · answered Mar 27 '20 at 10:23

Suitable for Spring Boot or folks using OAuth

@Profile("test")
@EnableWebSecurity
static class BasicWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
    }
}

If you are using @EnableOAuth2Client or @EnableResourceServer, then in test profile switch to basic auth and then disable the same. In Spring Boot,to switch off the spring security default configuration completely in a web application you need to add a bean with @EnableWebSecurity

score -9 · Answer 6 · answered Apr 06 '16 at 19:39

-9

The following worked for me:

            http
                .authorizeRequests()
                .anyRequest().permitAll();

answered Apr 06 '16 at 19:39

Alexander K

2,558
1
16
11

8

This will not disable basic security, it will simply ignore the security checking for all requests. – jkerak Nov 04 '16 at 14:17

Disable Basic Authentication while using Spring Security Java configuration

6 Answers6

Linked