13

I have implemented authentication in my Spring Boot Application with Spring Security.

The main class controlling authentication should be websecurityconfig:

@Configuration
@EnableWebSecurity
@PropertySource(value = { "classpath:/config/application.properties" })
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private RestAuthenticationSuccessHandler authenticationSuccessHandler;
    @Autowired
    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .httpBasic()
            .and()
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(
                    SessionCreationPolicy.STATELESS)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(restAuthenticationEntryPoint)
            .and()
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/login").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/ristore/**").authenticated()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .successHandler(authenticationSuccessHandler)
                .failureHandler(new SimpleUrlAuthenticationFailureHandler());
    }

Since I am doing OAuth, I have AuthServerConfig and ResourceServerConfig as well. My main application class looks like this:

@SpringBootApplication
@EnableSpringDataWebSupport
@EntityScan({"org.mdacc.ristore.fm.models"}) 
public class RistoreWebApplication extends SpringBootServletInitializer
{
   @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedOrigins("*");
            }
        };
    }
    public static void main( String[] args )
    {
        SpringApplication.run(RistoreWebApplication.class, args);
    }

    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
         return application.sources(RistoreWebApplication.class);
     }
}

Since we are doing code consolidation, we need to turn off authentication temporarily. However, I tried the following methods and nothing seems to work. I am still getting 401 when I hit these rest api urls.

  1. Comment out all the annotations in classes related to security including @Configuration, @EnableWebSecurity. In Spring boot Security Disable security, it was suggested at the bottom adding @EnableWebSecurity will DISABLE auth which I don't think make any sense. Tried it anyway, did not work.

  2. Modify websecurityconfig by removing all the security stuff and only do http .authorizeRequests() .anyRequest().permitAll();

Disable Basic Authentication while using Spring Security Java configuration. Does not help either.

  1. Remove security auto config

    @EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})

like what they did in disabling spring security in spring boot app. However I think this feature only works with spring-boot-actuator which I don't have. So didn't try this.

What is the correct way disable spring security?

Community
  • 1
  • 1
ddd
  • 4,665
  • 14
  • 69
  • 125
  • 1
    Adding `@EnableWebSecurity` disables Spring Boot security auto configuration. In your case, you already have this annotation so you do not leverage auto configuration anyway. I suggest trying to comment out `@EnableWebSecurity` from your class and exclude `SecurityAutoConfiguration.class` from auto configuration. – Maciej Walkowiak Oct 24 '16 at 22:07
  • @MaciejWalkowiak Should I exclude SecurityAutoConfiguration.class in application class? – ddd Oct 25 '16 at 02:09
  • Take a look at [this](https://stackoverflow.com/questions/25639188/disable-basic-authentication-while-using-spring-security-java-configuration#25740336) – rocksteady Oct 25 '16 at 06:13
  • Does this answer your question? [Spring boot Security Disable security](https://stackoverflow.com/questions/23894010/spring-boot-security-disable-security) – Dupinder Singh Nov 03 '20 at 12:40

3 Answers3

17

As @Maciej Walkowiak mentioned, you should do this for your main class:

@SpringBootApplication(exclude = org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class)
public class MainClass {
luboskrnac
  • 23,973
  • 10
  • 81
  • 92
  • 1
    It works after adding this in my Main Application class and commenting out `@EnableWebSecurity` in my securityconfig class like what @MaciejWalkowiak said. – ddd Oct 25 '16 at 19:51
  • 6
    Now it's `org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration` – leonbloy Feb 06 '19 at 18:21
4

try this

1->Comment annotation @EnableWebSecurity in your security config

//@EnableWebSecurity

2->Add these lines in your security config

spring.security.enabled=false

management.security.enabled=false

security.basic.enabled=false

Mohammad Adil
  • 503
  • 6
  • 13
0

What worked for me is this. Creating WebFilter and PermitAll Request Exchange and disabling CSRF.

    @Bean
    public SecurityWebFilterChain chain(ServerHttpSecurity http, AuthenticationWebFilter webFilter) {
        return http.authorizeExchange().anyExchange().permitAll().and()
                .csrf().disable()
                .build();
    }

Just put this code in @SpringBootApplication class, Like this and will work like charm

@SpringBootApplication
public class ConverterApplication {
    public static void main(String[] args) {
        SpringApplication.run(ConverterApplication.class, args);
    }


    @Bean
    public SecurityWebFilterChain chain(ServerHttpSecurity http, AuthenticationWebFilter webFilter) {
        return http.authorizeExchange().anyExchange().permitAll().and()
                .csrf().disable()
                .build();
}
Dupinder Singh
  • 7,175
  • 6
  • 37
  • 61