Spring boot 1.5 disable oauth2 security

Question

How can I disable the oauth2 security filtering in my Spring boot app, or skip the security checks, I just want to hit the GET and POST end points in the Spring boot @RestController directly without going through the security filtering.

I'm using below configurations

security:
  oauth2:
    client:
      access-token-validity-seconds: 3600
  tokenExtractor:
    type: header

pom.xml dependencies

<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth2</artifactId>
</dependency>

Spring version

<spring.version>4.3.7.RELEASE</spring.version>
<spring.boot.version>1.5.2.RELEASE</spring.boot.version>

Why are you adding spring-security if you want to ignore it? — CrazySabbath, Aug 23 '19 at 09:46
There is no mandate to add security in spring if you don't want it — Kavitha Karunakaran, Aug 23 '19 at 09:47
i want to skip security checks for testing purposes of other internal GET, POST urls — Buddhi, Aug 23 '19 at 09:47
Possible duplicate of this - https://stackoverflow.com/questions/23894010/spring-boot-security-disable-security question. — Kousick Shanmugam Nagaraj, Aug 23 '19 at 09:52

score 1 · Answer 1 · answered Aug 23 '19 at 10:06

1

If you don't want to remove the entire Spring Security, you can add ignore configuration for all you urls in your Spring Configuration bean:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(
            "/**");
}

answered Aug 23 '19 at 10:06

Gawain

1,017
8
17

1

thanks, i found the deny rule in the class, **@Configuration** public class ResourceAccessConfiguration **extends ResourceServerConfigurerAdapter** {@Override public void configure(HttpSecurity http) throws Exception {List matchers = Arrays.stream(new String[]{"/**/payment/**"}).map(AntPathRequestMatcher::new).collect(Collectors.toList()); **http.authorizeRequests().requestMatchers(new OrRequestMatcher(matchers)).denyAll();**}} – Buddhi Aug 29 '19 at 01:48

Buddhi · Answer 2 · 2019-09-10T09:56:39.243

3 ways

A. I was able to achive bypassing spring boot security filtering while keeping the @EnableResourceServer in the @SpringBootApplication Application class

1.permitall for anonymous in the ResourceServerConfigurerAdapter override

import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.context.annotation.Configuration;

@Configuration
public class ResourceAccessConfiguration extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().anonymous();<< this will allow any resource endpoint access when the HTTP request Authorization header not available
        //http.authorizeRequests().antMatchers("/**").permitAll();<< also can
    }
}

spring boot application initializer

@SpringBootApplication
@EnableResourceServer << keep this
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

2.remove the authorization header(remove OAuth 2.0 Access Token from the HTTP request)

B. security filtering could also be disabled for endpoints by removing @EnableResourceServer and set the parameter in application.yml as below. when removed @EnableResourceServer the spring security config will fall back to default which is org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

1.application.yml, security.ignored property

security:
  ignored: /**

2.spring boot application initializer

@SpringBootApplication
//@EnableResourceServer << remove this
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

3.remove the authorization header same as above

C. security filtering could also be disabled for endpoints by removing @EnableResourceServer and adding a config class extends WebSecurityConfigurerAdapter

1.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
    }
}

2.//@EnableResourceServer commented same as above

3.remove the authorization header same as above

Spring boot 1.5 disable oauth2 security

2 Answers2