disabling spring security in spring boot app

Question

I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).

I add this to the application.properties:

security.basic.enable: false   
management.security.enabled: false

Here is some part of my

But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.

My pom.xml :

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>fr.test.sample</groupId>
    <artifactId>navigo</artifactId>
    <version>1.0.0-SNAPSHOT</version>

    <!-- Inherit defaults from Spring Boot -->
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.3.1.RELEASE</version>
    </parent>

    <properties>
        <java.version>1.7</java.version>
        <jsoup.version>1.8.3</jsoup.version>
        <guava.version>18.0</guava.version>
        <postgresql.version>9.3-1103-jdbc41</postgresql.version>
    </properties>

    <!-- Add typical dependencies for a web application -->
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-mail</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context-support</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
            <version>${jsoup.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>postgresql</artifactId>
            </dependency>
    </dependencies>

    <!-- Package as an executable jar -->
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

    <!-- Add Spring repositories -->
    <!-- (you don't need this if you are using a .RELEASE version) -->
    <repositories>
        <repository>
            <id>spring-snapshots</id>
            <url>http://repo.spring.io/snapshot</url>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
        <repository>
            <id>spring-milestones</id>
            <url>http://repo.spring.io/milestone</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>spring-snapshots</id>
            <url>http://repo.spring.io/snapshot</url>
        </pluginRepository>
        <pluginRepository>
            <id>spring-milestones</id>
            <url>http://repo.spring.io/milestone</url>
        </pluginRepository>
    </pluginRepositories>

</project>

The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :

//@Configuration
//@EnableWebSecurity
//@EnableGlobalMethodSecurity(prePostEnabled = true)
//@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    UserDetailsService userDetailsService;

    @Autowired
    UserService userService;

    @Autowired
    private DataSource datasource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // http.authorizeRequests().antMatchers("/bus/topologie", "/home")
        // http.authorizeRequests().anyRequest().authenticated()
        // .antMatchers("/admin/**").access("hasRole('ADMIN')").and()
        // .formLogin().failureUrl("/login?error")
        // .defaultSuccessUrl("/bus/topologie").loginPage("/login")
        // .permitAll().and().logout()
        // .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
        // .logoutSuccessUrl("/login").permitAll().and().rememberMe()
        // .rememberMeParameter("remember-me")
        // .tokenRepository(persistentTokenRepository())
        // .tokenValiditySeconds(86400).and().csrf();
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
        tokenRepositoryImpl.setDataSource(datasource);
        return tokenRepositoryImpl;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {

        PasswordEncoder encoder = new BCryptPasswordEncoder();

        auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
        auth.jdbcAuthentication().dataSource(datasource);

        if (!userService.userExists("user")) {
            User userAdmin = new User("user", encoder.encode("password"), true);
            Set<Authorities> authorities = new HashSet<Authorities>();
            authorities.add(new Authorities(userAdmin,"ADMIN"));
            authorities.add(new Authorities(userAdmin,"CRIP"));
            authorities.add(new Authorities(userAdmin,"USER"));
            userAdmin.setAuthorities(authorities);

            userService.createUser(userAdmin);
        }
    }

}

http://stackoverflow.com/questions/23894010/spring-boot-security-disable-security — soorapadman, Mar 29 '16 at 09:30
Does this answer your question? [Spring boot Security Disable security](https://stackoverflow.com/questions/23894010/spring-boot-security-disable-security) — Dupinder Singh, Nov 03 '20 at 12:45

Ali Dehghani · Accepted Answer · 2016-03-29T09:37:55.633

76

Use security.ignored property:

security.ignored=/**

security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered.

There is a default security password generated at startup

Try to Autowired the AuthenticationManagerBuilder:

@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }

edited Mar 29 '16 at 09:37

answered Mar 29 '16 at 09:31

Ali Dehghani

46,221
15
164
151

2

is security.ignored=/** to go in the securityconfig class or application.properties ? – Al Grant Apr 15 '17 at 07:57
1

Nice answer. Just to add, security.ignored=/** doesn't turn off CSRF, which still has to disabled – Mahesh Mar 15 '18 at 06:18
27

it won't work for Spring Boot 2 as disabling from `application.properties` is deprecated. Try https://stackoverflow.com/a/47292134/2443988 – Sumit Ramteke Aug 10 '18 at 01:15
1

An alternative for spring boot 2, se my answer: https://stackoverflow.com/a/53670356/2970422 – Joker Sep 04 '20 at 13:16
If you wanted to work with security.basic.enabled: false, see my answer here https://stackoverflow.com/a/65939294/3888628 – Ashraf Sarhan Jan 28 '21 at 14:40

score 50 · Answer 2 · answered Mar 29 '16 at 09:29

50

Try this. Make a new class

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().antMatchers("/").permitAll();
}

}

Basically this tells Spring to allow access to every url. @Configuration tells spring it's a configuration class

answered Mar 29 '16 at 09:29

bmarkham

1,590
15
27

I got it to go by adding both exclude statement for the autoconfigure.security and .permitAll() on the antMatchers. – Al Grant Apr 15 '17 at 07:55
\@EnableWebSecurity is needed in the \@EnableWebSecurity protected static class SecurityConfiguration – Dexter Apr 19 '17 at 21:13
1

You can also annotate a class like this with something like `@Profile("nosecure")` so that you can specify the profile "nosecure" until you want it turned on. – Mark May 24 '17 at 18:14
Not other solutions but this worked for me on SB v 2.0.0RELEASE. security.ignored=/** was also no required. Just this class was suffiecient – Dexter Mar 10 '18 at 03:57
2

```WebSecurityConfigurerAdapter``` - is deprecated. – Marius Jaraminas Dec 27 '22 at 20:29

score 45 · Answer 3 · answered Dec 07 '18 at 13:16

45

security.ignored is deprecated since Spring Boot 2.

For me simply extend the Annotation of your Application class did the Trick:

@SpringBootApplication(exclude = SecurityAutoConfiguration.class)

answered Dec 07 '18 at 13:16

Joker

2,304
25
36

Enrico Giurin · Answer 4 · 2018-10-26T15:22:10.640

With this solution you can fully enable/disable the security by activating a specific profile by command line. I defined the profile in a file application-nosecurity.yaml

spring:
  autoconfigure:
    exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

Then I modified my custom WebSecurityConfigurerAdapter by adding the @Profile("!nosecurity") as follows:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Profile("!nosecurity")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}

To fully disable the security it's enough to start the application up by specifying the nosecurity profile, i.e.:

java -jar  target/myApp.jar --spring.profiles.active=nosecurity

setting that exclude line in the application yml did the job for me. Thank you! — IonicMan, Nov 06 '20 at 09:09

score 14 · Answer 5 · answered Mar 29 '16 at 09:28

I think you must also remove security auto config from your @SpringBootApplication annotated class:

@EnableAutoConfiguration(exclude = {
    org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
    org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})

score 10 · Answer 6 · answered Dec 10 '18 at 17:01

Since security.disable option is banned from usage there is still a way to achieve it from pure config without touching any class flies (for me it creates convenience with environments manipulation and possibility to activate it with ENV variable) if you use Boot

spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

score 8 · Answer 7 · answered Aug 22 '20 at 19:39

For me only excluding the following classes worked:

import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}) {
  // ... 
}

This is the correct answer in 2022. – etech Oct 31 '22 at 21:21 — etech, Oct 31 '22 at 21:21

score 5 · Answer 8 · answered Apr 05 '20 at 16:50

5

just add

@SpringBootApplication(exclude = SecurityAutoConfiguration.class)

answered Apr 05 '20 at 16:50

Anis KCHAOU

830
1
11
11

where need to add? – Jhoan River Aug 22 '22 at 10:35

score 4 · Answer 9 · answered Jul 16 '18 at 14:22

4

This was the only thing that worked for me, I added the following annotation to my Application class and exclude SecurityAutoConfiguration

import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;

@EnableAutoConfiguration(exclude = {
        SecurityAutoConfiguration.class
})

answered Jul 16 '18 at 14:22

Maoz Zadok

4,871
3
33
43

1

I did something similar, but now I was wondering which are the benefits of this solution compared to just having: http.authorizeRequests().antMatchers("/**").permitAll(); – Enrico Giurin Mar 28 '19 at 11:00

score 4 · Answer 10 · answered Nov 20 '18 at 23:01

You could just comment the maven dependency for a while:

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-mongodb</artifactId>
        </dependency>
<!--        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>-->
</dependencies>

It worked fine for me

Disabling it from application.properties is deprecated for Spring Boot 2.0

score 4 · Answer 11 · edited Mar 10 '22 at 19:47

4

Change WebSecurityConfig.java: comment out everything in the configure method and add

http.authorizeRequests().antMatchers("/**").permitAll();

This will allow any request to hit every URL without any authentication.

edited Mar 10 '22 at 19:47

Exadra37

11,244
3
43
57

answered Oct 14 '20 at 14:41

Shubham Patel

71
1

1

`http.authorizeRequests` rather. – TheRealChx101 Oct 14 '21 at 01:04
It's manual, but why not. – jumping_monkey Dec 29 '21 at 08:46

score 2 · Answer 12 · edited Dec 08 '17 at 19:38

2

Use @profile("whatever-name-profile-to-activate-if-needed") on your security configuration class that extends WebSecurityConfigurerAdapter

security.ignored=/**

security.basic.enable: false

NB. I need to debug to know why why exclude auto configuration did not work for me. But the profile is sot so bad as you can still re-activate it via configuration properties if needed

edited Dec 08 '17 at 19:38

rene

41,474
78
114
152

answered Dec 06 '17 at 15:24

Breton F.

177
1
6

user2979124 · Answer 13 · 2018-10-05T07:12:28.113

0

Just add the following line to disable spring auto configuration in application.properties file

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration

it works on spring 2.0.5 :)

edited Oct 05 '18 at 07:12

answered Oct 05 '18 at 06:45

user2979124

11
1

java-addict301 · Answer 14 · 2019-02-15T14:08:27.363

-1

The accepted answer didn't work for me.

If you have a multi configuration, adding the following to your WebSecurityConfig class worked for me (ensure that your Order(1) is lower than all of your other Order annotations in the class):

/* UNCOMMENT TO DISABLE SPRING SECURITY */
    /*@Configuration
    @Order(1)
    public static class DisableSecurityConfigurationAdapater extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/**").authorizeRequests().anyRequest().permitAll();
        }
    }*/

edited Feb 15 '19 at 14:08

answered Feb 15 '19 at 13:59

java-addict301

3,220
2
25
37

we need the (disable/enable° configuration programmatically done – Rebai Ahmed Sep 10 '19 at 16:26
@AhmedRebai did the solution not work for you? It worked no problem for me. – java-addict301 Sep 12 '19 at 10:34

disabling spring security in spring boot app

14 Answers14

Linked

Related