CODEWITHSUNDEEP
javaspringspring-bootsecurity
padmalcom
padmalcom

Reputation: 1439

Spring Boot 2.2.4 - disable security

I found a massive amount of blog posts and questions on stackoverflow on how to disable security in spring boot - but none of it seems to work with spring boot 2.2.4.

I'm asking because I want to configuratively disable security for my dev and test profile so that we can deploy without generating jwt tokens all the time.

The most promising approach from my perspective is to exclude the SecurityAutoConfiguration class via the properties file but as said the exclusion has no effect.

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

The other properties such as management.security.enabled seem to be deprecated.

Upvotes: 3

Views: 12278

Answers (2)

padmalcom
padmalcom

Reputation: 1439

I found a working solution in the spring boot github issues.

Disable security for the entire application:

@SpringBootApplication ( exclude = {SecurityAutoConfiguration.class} )
@Import(MySecurityConfiguration.class)
public class MyApplication{
 }

... and enable via parameter in the security configuration:

@Configuration
@ConditionalOnProperty (  "my.security.enabled" )
@Import ( SecurityAutoConfiguration.class 
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

}

Source: https://github.com/spring-projects/spring-boot/issues/12323#issuecomment-370519882

Upvotes: 6

Tamim
Tamim

Reputation: 375

You could create a WebSecurityConfigurerAdapter Bean for your profile containing following overriden method implementation, to exclude all endpoints from spring security: 

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().antMatchers(
                "/**"
        );
    }

Upvotes: 2

Related Questions