SpringBoot 401 UnAuthorized even with out security

Question

I did not use Spring Security but it is asking me to authenticate.

Exception for URL(http://localhost:8080/SpringJob/ExecuteJob):

{
    "timestamp": 1500622875056,
    "status": 401,
    "error": "Unauthorized",
    "message": "Bad credentials",
    "path": "/SPPA/ExecuteSPPAJob"
}
----below log details
2017-07-21 13:15:35.210  INFO 19828 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/SpringJob]   : Initializing Spring FrameworkServlet 'dispatcherServlet'
2017-07-21 13:15:35.210 [http-nio-8080-exec-1] INFO 
                    o.a.c.c.C.[.[localhost].[/SpringJob]-Initializing Spring FrameworkServlet 'dispatcherServlet' 
2017-07-21 13:15:35.211  INFO 19828 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2017-07-21 13:15:35.211 [http-nio-8080-exec-1] INFO 
                    o.s.web.servlet.DispatcherServlet-FrameworkServlet 'dispatcherServlet': initialization started 
2017-07-21 13:15:35.494  INFO 19828 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 282 ms
2017-07-21 13:15:35.494 [http-nio-8080-exec-1] INFO 
                    o.s.web.servlet.DispatcherServlet-FrameworkServlet 'dispatcherServlet': initialization completed in 282 ms

application-dev.xml

#Spring Boot based configurations
management.security.enabled: "false"
spring.autoconfigure.exclude:  "org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration"
spring.batch.job.enabled: false
server.contextPath: /SpringJob

build.gradle snippet

plugins {
    id 'jacoco'
    id 'org.sonarqube' version '2.5'
}

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: 'org.springframework.boot'
apply plugin: "no.nils.wsdl2java"
apply plugin: 'jacoco'
apply plugin: "org.sonarqube"
dependencies {
    compile("org.springframework.boot:spring-boot-starter-web")
    compile("org.springframework.boot:spring-boot-starter-batch")
    compile("org.springframework.boot:spring-boot-starter-mail")
    //compile("org.springframework.boot:spring-boot-devtools")
    compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.5'
    compile group: 'org.apache.cxf', name: 'cxf-spring-boot-starter-jaxws', version: '3.1.10'
    compile group: 'org.apache.cxf', name: 'cxf-rt-ws-security', version: '3.1.10'
    compile("org.springframework.boot:spring-boot-starter-actuator")
    testCompile('org.springframework.boot:spring-boot-starter-test')
}

Controller

@Controller
@EnableAutoConfiguration
@EnableBatchProcessing
public class MyController {
    @Autowired
    JobLauncher jobLauncher;

    @RequestMapping("/ExecuteJob")
    @ResponseBody
    public String callPrelegalJob(@RequestParam("user") String userName, @RequestParam("password") String password) {
        log.info("Job is to be launched from controller...");
}
}

either you can comment out the dependency if the security thing is not your first priority..else you need to customize the configuration to set the Authentication details — Sangam Belose, Jul 21 '17 at 08:33
check this http://techtots.blogspot.in/2016/07/enabling-ws-security-in-spring-boot.html — Sangam Belose, Jul 21 '17 at 08:34
Is there any way to disable this authentication in application.properties ? because czf-rt-ws-security is used only for SOAP service call from Spring not for authentication. — sunleo, Jul 21 '17 at 08:55

score 50 · Answer 1 · answered Nov 15 '18 at 15:20

In the current version of Spring Boot (v2.1.0.RELEASE), the easiest way to get rid of the security issues is to add "WebSecurityConfig.java" to your project as follows:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }

}

Note of course that this removes protection against cross-site request forgery, so this is really only appropriate for simple read-only endpoints.

Afridi · Accepted Answer · 2017-07-21T10:04:31.567

22

Try to add below lines in your application.properties file

security.basic.enable: false
security.ignored=/**

According to spring doc, use security.ignored=

Comma-separated list of paths to exclude from the default secured paths

edited Jul 21 '17 at 10:04

answered Jul 21 '17 at 09:58

Afridi

6,753
2
18
27

This works @Afridi thanks, please provide me doc link if you can. – sunleo Jul 21 '17 at 10:59
@sunleo navigate to https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html and then search for the word "security.ignored=" – Afridi Jul 21 '17 at 11:03
This doesn't currently work, and the link above does not contain "security.ignored" on it – trevorsky Nov 12 '18 at 15:38
1

@trevorsky This option was available till 1.5.8.RELEASE release, and above link is referencing to current release which is currently 2.1.x. May be they removed it now. https://docs.spring.io/spring-boot/docs/1.5.8.RELEASE/reference/html/common-application-properties.html – Afridi Nov 13 '18 at 07:45
3

@alfridi Thanks, yeah it looks like a lot changed in this area from 2+. We ended up adding an explicit piece of code to disable security, as a temporary fix until we prioritize learning and adding a proper security configuration. I'll add it as an answer below for others like me who stumble into this thread. – trevorsky Nov 14 '18 at 13:19
9

These have been deprecated – Ojonugwa Jude Ochalifu Feb 18 '20 at 12:44
security.basic.enabled: false --> enabled not enable – Salman Aug 17 '22 at 06:25

score 18 · Answer 3 · answered Nov 21 '19 at 10:05

18

Just remove the the spring security dependency from pom.xml file. Worked for me :)..

answered Nov 21 '19 at 10:05

Harshit Sharma

194
1
5

3

remove this: `compile('org.springframework.boot:spring-boot-starter-security')` if it is present by any chance – User_Targaryen Oct 03 '20 at 13:46
another way of doing same thing by adding exclusion on main class https://stackoverflow.com/a/64132119/6589216 – Harshit Sharma Jun 20 '23 at 06:56

score 14 · Answer 4 · edited Mar 28 '21 at 06:34

14

if we use CXF security & Spring boot security it gives this issues. Comment out dependency i.e disable the spring boot security then it allows.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>       
</dependency>

To enable this we have to write custom security or add below config

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }
}

edited Mar 28 '21 at 06:34

Ali Behzadian Nejad

8,804
8
56
106

answered Aug 01 '18 at 18:14

Palla

1,131
9
11

it worked with Spring boot 2.2.6.RELEASE, thanks – Rahal Kanishka Nov 27 '20 at 11:11

score 5 · Answer 5 · answered Jul 21 '17 at 09:24

5

Exact way to disable authentication could not be found by me.But by removing actuator dependency which is working.

compile("org.springframework.boot:spring-boot-starter-actuator")

answered Jul 21 '17 at 09:24

sunleo

10,589
35
116
196

pero_hero · Answer 6 · 2020-02-23T10:59:49.620

3

You can configure the springSecurityFilterChain to ignore all requests and thus allow unauthenticated access to all your endpoints with the following:

@Configuration
@EnableWebSecurity
public class WebConfiguration extends WebSecurityConfigurerAdapter {


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/**");
    }

}

edited Feb 23 '20 at 10:59

answered Feb 23 '20 at 09:39

pero_hero

2,881
3
10
24

Please add explanation to your answer – Jan Černý Feb 23 '20 at 09:56
Also what package is WebSecurity in. I would actually like to open up a single point but I can't import WebSecurity – JGleason Oct 20 '20 at 17:13
@JGleason WebSecurity is in spring-security-config from spring-security. – pero_hero Oct 21 '20 at 07:17

score 3 · Answer 7 · answered Sep 30 '20 at 06:37

3

@harshit-sharma 's solution worked for me; I added exclusion in my main Application class:

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })

answered Sep 30 '20 at 06:37

PhoenixPerson

272
2
16

awgtek · Answer 8 · 2020-11-17T16:52:47.153

Spring Security may still be in the project libs via transitive dependencies. What should still work in Spring Boot is the following:

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/**")
                .permitAll();
    }

Note: the http is a org.springframework.security.config.annotation.web.builders.HttpSecurity and this is in a @Component that may already be injected into and called by some org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter implementation in your application's framework. This should override any built-in catch-all clause, i.e. http.authorizeRequests().anyRequest().denyAll() for testing purposes etc..

score 0 · Answer 9 · answered Jul 04 '23 at 09:33

Adding this configuration bean solved the problem for me:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll();
    }
}

it will throw compilation exception as spring boot security dependency is not there? — sunleo, Jul 04 '23 at 15:55
Yes, use it only if you have spring boot security on your class path. — kerner1000, Jul 04 '23 at 16:05

score -1 · Answer 10 · answered Jul 12 '20 at 01:17

-1

I solved by removed this dependency from pom.xml

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
 </dependency>

answered Jul 12 '20 at 01:17

Abd Abughazaleh

4,615
3
44
53

SpringBoot 401 UnAuthorized even with out security

10 Answers10

Linked