Spring Boot 2.0.x disable security for certain profile

Question

In Spring Boot 1.5.x, I've had Security configured and in certain profiles (eg local), I've added security.basic.enabled=false line to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?

I've already read Spring-Boot-Security-2.0 and security-changes-in-spring-boot-2-0-m4 and there is nothing regarding this property.

Answer 1

You have to add a custom Spring Security configuration, see Spring Boot Reference Guide :

28.1 MVC Security

The default security configuration is implemented in SecurityAutoConfiguration and UserDetailsServiceAutoConfiguration . SecurityAutoConfiguration imports SpringBootWebSecurityConfiguration for web security and UserDetailsServiceAutoConfiguration configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of type WebSecurityConfigurerAdapter (doing so does not disable the UserDetailsService configuration or Actuator's security).

For example:

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
               .antMatchers("/**");
    }
}

To use the configuration only for a profile add @Profile to the class. If you want to enable it by property, add ConditionalOnProperty to the class.

Answer 2

Here is how I ended up solving the problem. Here is an example of how my security config looked in Spring Boot 1.5.x. Security was disabled with property security.basic.enabled=false :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/upload/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

Since security.basic.enabled was removed in Spring Boot 2 (but still reserved as property name), I ended up using security.enabled as a custom property. Here's an example of how my config looks in Spring Boot 2:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${security.enabled:true}")
    private boolean securityEnabled;

    @Override
    public void configure(WebSecurity web) throws Exception {
        if (securityEnabled)
            web.ignoring().antMatchers("/upload/**");
        else
            web.ignoring().antMatchers("/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (securityEnabled)
            http.csrf().disable().authorizeRequests()
                    .anyRequest().authenticated()
                    .and().httpBasic();
    }
}

Answer 3

There is another option to disable security in spring boot 2

@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})

Add this over the main class

Answer 4

Spring Boot 2.1.3

For a certain profile "dev"

Create a new Spring Configuration class

@Configuration
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
@Profile("dev")
public class WebSecurityConfigDisable  {

}

This will disable the spring security.

Answer 5

Actually there are several answers for certain configurations for this question; in my case I have been playing around Spring Boot 2 with Spring Security and JWT. In order to secure my REST endpoints I need to create tokens etc. After I wrote my code and tried to test my endpoints to see if JWT works fine, I end up facing default login page. I tried changing properties file mentioned above and finally I disabled it by adding the @SpringBootApplication(exclude = {SecurityAutoConfiguration.class} ) annotation to my application class.

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class} )
public class JwtWithSpringBootApplication {

    public static void main(String[] args) {
        SpringApplication.run(JwtWithSpringBootApplication.class, args);
    }
}

Answer 6

You can disable spring security auto-configuration by excluding SecurityAutoConfiguration.class and ManagementWebSecurityAutoConfiguration.class has to excluded when got spring-boot-actuator dependency

@SpringBootApplication(
exclude = { SecurityAutoConfiguration.class,  
            ManagementWebSecurityAutoConfiguration.class })
public class MySpringBootApplication {

Then you can conditionally configure your custom WebSecurityConfigurerAdapter using profile or config paramter something like this

@Configuration
@ConditionalOnProperty(prefix = "security.custom", name = "enabled", havingValue="true")
@EnableWebSecurity
public class CustomWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

Answer 7

在 springboot 2.1.4 我不得不这样做

@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class, SecurityFilterAutoConfiguration.class})