Spring boot 1.5 disable oauth2 security

Question

How can I disable the oauth2 security filtering in my Spring boot app, or skip the security checks, I just want to hit the GET and POST end points in the Spring boot @RestController directly without going through the security filtering.

I'm using below configurations

security:
  oauth2:
    client:
      access-token-validity-seconds: 3600
  tokenExtractor:
    type: header

pom.xml dependencies

<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth2</artifactId>
</dependency>

Spring version

<spring.version>4.3.7.RELEASE</spring.version>
<spring.boot.version>1.5.2.RELEASE</spring.boot.version>

Answer 1

3 ways

A. I was able to achive bypassing spring boot security filtering while keeping the @EnableResourceServer in the @SpringBootApplication Application class

1.permitall for anonymous in the ResourceServerConfigurerAdapter override

import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.context.annotation.Configuration;

@Configuration
public class ResourceAccessConfiguration extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().anonymous();<< this will allow any resource endpoint access when the HTTP request Authorization header not available
        //http.authorizeRequests().antMatchers("/**").permitAll();<< also can
    }
}

spring boot application initializer

@SpringBootApplication
@EnableResourceServer << keep this
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

2.remove the authorization header(remove OAuth 2.0 Access Token from the HTTP request)

B. security filtering could also be disabled for endpoints by removing @EnableResourceServer and set the parameter in application.yml as below. when removed @EnableResourceServer the spring security config will fall back to default which is org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

1.application.yml, security.ignored property

security:
  ignored: /**

2.spring boot application initializer

@SpringBootApplication
//@EnableResourceServer << remove this
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

3.remove the authorization header same as above

C. security filtering could also be disabled for endpoints by removing @EnableResourceServer and adding a config class extends WebSecurityConfigurerAdapter

1.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
    }
}

2.//@EnableResourceServer commented same as above

3.remove the authorization header same as above

Answer 2

If you don't want to remove the entire Spring Security, you can add ignore configuration for all you urls in your Spring Configuration bean:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(
            "/**");
}