Reputation: 1893
Spring boot Security Disable security
When I use security.basic.enabled=false to disable security on a Spring Boot project that has the following dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc6</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
I see the following Exception:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration$ManagementWebSecurityConfigurerAdapter': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.setObjectPostProcessor(org.springframework.security.config.annotation.ObjectPostProcessor); nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.config.annotation.ObjectPostProcessor] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
In order to fix this exception I had to add the property - management.security.enabled=false . My understanding is that when the actuator is in the classpath, both security.basic.enabled=false and management.security.enabled=false should be set to disable the security.
Could someone please let me know if my understanding is wrong?
Upvotes: 138
Views: 370291
Answers (29)
Reputation: 1648
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class HttpSecurityConfiguration {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.build();
}
}
I'm using
id 'org.springframework.boot' version '3.2.4'
and
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '3.2.4'
Upvotes: 0
Reputation: 766
With Spring Boot 3, the configuration syntax has changed. The following did the trick for me -
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().anyRequest().permitAll();
return http.build();
}
}
More details in my blog post Spring Boot 3 + Security - Disable Authentication
Upvotes: 5
Reputation: 475
Use
@Configuration
public class ApplicationNoSecurity {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.antMatchers("/**");
}
}
https://www.baeldung.com/spring-security-disable-profile
Upvotes: 0
Reputation: 1772
For a reactive webflux springboot application (in my case it is not a controller application, but a scheduler application) with out any http requests, none of the application.properties examples or exclude annotations worked. The only way worked for me is by adding a filter class.
I am using springboot 2.6.5, and have the below artifacts mainly besides some kafka and db related artifacts
pom.xml
<artifactId>spring-boot-starter-webflux</artifactId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<artifactId>spring-boot-starter-actuator</artifactId>
<artifactId>spring-boot-starter-security</artifactId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
application.proeprties:
I did not add spring.main.web-application-type=reactive
Filter class:
NOTE: I did not even added @EnableWebFluxSecurity OR @EnableReactiveMethodSecurity, but it is still works.
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
@Configuration
public class ActuatorSecurityFilter {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.authorizeExchange().pathMatchers("/actuator/**").permitAll().and().build();
}
}
Upvotes: 0
Reputation: 10552
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// disable CSRF, http basic, form login
.csrf().disable()
.httpBasic().disable()
.formLogin().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint());
return http.build();
}
}
Upvotes: 1
Reputation: 1241
Latest spring 2.7.x, create two class, set DISABLE_KEYCLOAK_AUDIT_PROPERTY = 'your key' in application profile for enable/disable security:
public static final String DISABLE_KEYCLOAK_AUDIT_PROPERTY = "enable_security";
@EnableAutoConfiguration(exclude =
{org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class
})
@Configuration
@ConditionalOnProperty(name = DISABLE_KEYCLOAK_AUDIT_PROPERTY, havingValue = "true")
static
class DisableSecurityConfig {
}
@Configuration
@ConditionalOnProperty(name = DISABLE_KEYCLOAK_AUDIT_PROPERTY, havingValue = "false")
@Import({KeycloakSecurityConfig.class, KeycloakConfig.class})
static
class EnableSecurityConfig {
}
for example use in application.yml:
enable_security: true
Upvotes: 1
Reputation: 3378
In Spring Security 5.7.0-M2 WebSecurityConfigurerAdapter was deprecated. Spring Security team encourages users to move towards a component-based security configuration.
package com.may.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll(); // config to permit all requests
return http.build();
}
@Bean
public AuthenticationManager authenticationManager() { // to delete default username and password that is printed in the log every time, you can provide here any auth manager (InMemoryAuthenticationManager, etc) as you need
return authentication -> {
throw new UnsupportedOperationException();
};
}
}
More examples here:
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
Upvotes: 0
Reputation: 1239
With Spring 2.6.0 this helped in my case:
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityDataConfiguration.class
})
And additional I had to remove the dependency in the pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Upvotes: 0
Reputation: 2500
As of Spring Boot 2.7.3 using @EnableAutoConfiguration(exclude = {}) generated an error, suggesting the exclude property be used in the @SpringBootApplication annotation.
Here is what worked for me when disabling Spring Security completely.
@SpringBootApplication(
exclude = {
SecurityAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class
})
public class GeoServiceApplication {
public static void main(String[] args) {
SpringApplication.run(GeoServiceApplication.class, args);
}
}
I tried excluding only SecurityAutoConfiguration.class, but I got an error for no HttpSecurity bean defined for ManagementWebSecurityAutoConfiguration.class.
Upvotes: 1
Reputation: 379
With Gradle and Spring boot v2.4.4, you can exclude spring security completely by adding this config in your build.gradle
configurations.all {
exclude group:"org.springframework.boot", module: "spring-boot-starter-security"
}
Upvotes: 0
Reputation: 1758
In case you have spring-boot-actuator in your package, you should add the following
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class})
With older Spring-boot, the class was called ManagementSecurityAutoConfiguration.
In newer versions this has changed to
@SpringBootApplication(exclude = {
org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class}
)
UPDATE
If for reactive application you are having the same issue, you can exclude the following classes
@SpringBootApplication(exclude = {ReactiveSecurityAutoConfiguration.class, ReactiveManagementWebSecurityAutoConfiguration.class })
Upvotes: 126
Reputation: 788
Answer is to allow all requests in WebSecurityConfigurerAdapter as below.
you can do this in existing class or in new class.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
}
Please note : If ther is existing GlobalMethodSecurityConfiguration class, you must disable it.
Upvotes: 8
Reputation: 768
If you are using @WebMvcTest annotation in your test class
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class })
@TestPropertySource(properties = {"spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration"})
doesn't help you.
You can disable security here
@WebMvcTest(secure = false)
Upvotes: 6
Reputation: 7693
The easiest way for Spring Boot 2 without dependencies or code changes is just:
spring:
autoconfigure:
exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
Upvotes: 5
Reputation: 379
The only thing that worked for me:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
and
security.ignored=/**
Could be that the properties part is redundant or can be done in code, but had no time to experiment. Anyway is temporary.
Upvotes: 4
Reputation: 836
For Spring Boot 2 following properties are deprecated in application.yml configuration
security.basic.enabled: false
management.security.enabled: false
To disable security for Sprint Boot 2 Basic + Actuator Security following properties can be used in application.yml file instead of annotation based exclusion (@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}))
spring:
autoconfigure:
exclude[0]: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
exclude[1]: org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
For application.properties syntax would be like
spring.autoconfigure.exclude[0]=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
Upvotes: 63
Reputation: 1488
As previously multiple solutions mentioned to disable security through commenting of
@EnableWebSecurity
annotation and other is through properties in application.properties or yml. But those properties are showing as deprecated in latest spring boot version.
So, I would like to share another approach to configure default username and password in your application-dev.properties or application-dev.yml and use them to login into swagger and etc in development environment.
spring.security.user.name=admin
spring.security.user.password=admin
So, this approach will also provides you some kind of security as well and you can share this information with your development team. You can also configure user roles as well, but its not required in development level.
Upvotes: 1
Reputation: 11449
Add following class into your code
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author vaquar khan
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
}
}
And insie of application.properties add
security.ignored=/**
security.basic.enabled=false
management.security.enabled=false
Upvotes: 11
Reputation: 73
I added below settings in application.yml and worked fine.
security:
route-patterns-to-be-skipped:
- /**/*
this can be converted as security.route-paterns-to-be-skipped=/**/* for application.properties
Upvotes: -3
Reputation: 11666
You can configure to toggle spring security in your project by following below 2 steps:
STEP 1:
Add a @ConditionalOnProperty annotation on top of your SecurityConfig class. Refer below:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity (prePostEnabled = true)
@ConditionalOnProperty (name = "myproject.security.enabled", havingValue = "true", matchIfMissing = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// your security config
}
STEP 2:
Add following config to your application.properties or application.yml file.
application.properties
security.ignored=/**
myproject.security.enabled=false
OR
application.yml
security:
ignored: /**
myproject:
security:
enabled: false
Upvotes: 2
Reputation: 87
You need to add this entry to application.properties to bypass Springboot Default Security
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration
Then there won't be any authentication box.
otrws, credentials are:-
user and 99b962fa-1848-4201-ae67-580bdeae87e9 (password randomly generated)
Note: my springBootVersion = '1.5.14.RELEASE'
Upvotes: 1
Reputation: 150
I simply added security.ignored=/**in the application.properties,and that did the charm.
Upvotes: 3
Reputation: 2810
For the spring boot 2 users it has to be
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class
})
Upvotes: 29
Reputation: 6120
Permit access to everything using antMatchers("/")
protected void configure(HttpSecurity http) throws Exception {
System.out.println("configure");
http.csrf().disable();
http.authorizeRequests().antMatchers("/").permitAll();
}
Upvotes: 5
Reputation: 5953
Step 1: Comment annotation @EnableWebSecurity in your security config
//@EnableWebSecurity
Step 2: Add this to your application.properties file.
security.ignored=/**
spring.security.enabled=false
management.security.enabled=false
security.basic.enabled=false
For more details look here: http://codelocation.com/how-to-turn-on-and-off-spring-security-in-spring-boot-application/
Upvotes: 13
Reputation: 3642
Add the below lines to your main app.
Remove org.activiti.spring.boot.SecurityAutoConfiguration.class if you're not using activiti.
Similarly, remove the one for actuator if you're not using spring-boot-actuator.
@EnableAutoConfiguration(exclude = {
org.activiti.spring.boot.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class,
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class })
Upvotes: 0
Reputation: 128
In order to avoid security you can use annotations. Use this annotation on top of configure class:
@EnableWebSecurity
For example:
@EnableWebSecurity
@Configuration
public class AuthFilter{
// configured method
}
Upvotes: 0
Reputation: 26848
What also seems to work fine is creating a file application-dev.properties that contains:
security.basic.enabled=false
management.security.enabled=false
If you then start your Spring Boot app with the dev profile, you don't need to log on.
Upvotes: 87
Reputation: 4738
If you need security as a dependency but don't want Spring Boot to configure it for you, you can use this exclusion:
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class
})
Upvotes: 43
Related Questions
- Spring Boot 2.0 disable default security
- How do I turn off Spring Security in my new Spring Boot project?
- Spring boot and Spring Actuator - disable security
- How to turn off Spring Security in Spring Boot Application
- Spring Boot 2.2.4 - disable security
- Spring boot: disable security auto configuration
- How to disable default Spring security with Spring boot?
- Spring boot, how to disable autoconfiguration of springSecurityFitlerChain
- failed to switch off the Spring Boot security configuration
- Disable Spring Security from spring-security.xml file