Disable Spring Security via Java configuration?

Question

I have a Java application that uses Spring Security via Java configuration.

What is the easiest method of switching the whole Spring Security on/off in compilation?

So something like this, but for a configuration that uses no XML.

EDIT:

After applying @Profile my code looks like:

@Configuration
@Profile("SecurityOn")
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

The problem is that if the profile "SecurityOn" is not activated, Spring Security uses some default configuration. Instead, how to turn Spring Security completely off in that case?

Answer 1

To disable that behavior, you can add another class that looks like this:

@Configuration
@EnableWebMvcSecurity
@Profile("!SecurityOn")
public class WebSecurityConfigDisable extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/**").permitAll();
    }
}

Then, when you run your application, the only time you'll need to login will be when the SecurityOn profile is active. If you're using Maven and Spring Boot, the command to enable login would be the following.

mvn spring-boot:run -Dspring.profiles.active=SecurityOn

Running it without a profile, or a different profile, will disable login. This is useful for local development.

I found this was necessary when using spring-boot-starter-security because there was default configuration which required login.

Answer 2

Consider using Profile feature.

Since @Profile can be applied as method-level annotation on any @Bean method you can use single profile (e.g. 'secure') and annotate the relevant @Bean method(s) only.

Then specify the active profile(s) via either of the JVM system properties, as an environment variable, or for web applications as a Servlet context parameter in web.xml

Refer sample usage here.