I added one custom Security Config in my application on Spring Boot, but the message about "Using default security password" is still there in LOG file.
Is there any to remove it? I do not need this default password. It seems Spring Boot is not recognizing my security policy.
@Configuration
@EnableWebSecurity
public class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
private final String uri = "/custom/*";
@Override
public void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().httpStrictTransportSecurity().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Authorize sub-folders permissions
http.antMatcher(uri).authorizeRequests().anyRequest().permitAll();
}
}
This question is related to
java
spring
spring-boot
spring-security
When spring boot is used we should exclude the SecurityAutoConfiguration.class both in application class and where exactly you are configuring the security like below.
Then only we can avoid the default security password.
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
@EnableJpaRepositories
@EnableResourceServer
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class
})
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().anyRequest().authenticated();
httpSecurity.headers().cacheControl();
}
}
In a Spring Boot 2 application you can either exclude the service configuration from autoconfiguration:
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
or if you just want to hide the message in the logs you can simply change the log level:
logging.level.org.springframework.boot.autoconfigure.security=WARN
Further information can be found here: https://docs.spring.io/spring-boot/docs/2.0.x/reference/html/boot-features-security.html
If you are declaring your configs in a separate package, make sure you add component scan like this :
@SpringBootApplication
@ComponentScan("com.mycompany.MY_OTHER_PACKAGE.account.config")
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}
You may also need to add @component annotation in the config class like so :
@Component
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.....
You only need to exclude UserDetailsServiceAutoConfiguration.
spring:
autoconfigure:
exclude: org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
Check documentation for org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration there are conditions when autoconfig will be halt.
In my case I forgot to define my custom AuthenticationProvider as bean.
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(getAuthenticationProvider());
}
@Bean
AuthenticationProvider getAuthenticationProvider() {
return new CustomAuthenticationProvider(adminService, onlyCorporateEmail);
}
}
Adding following in application.properties
worked for me,
security.basic.enabled=false
Remember to restart the application and check in the console.
Look up: http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html
From AuthenticationManagerConfiguration.java looking at code, I see below. Also the in-memory configuration is a fallback if no authentication manager is provided as per Javadoc. Your earlier attempt of Injecting the Authentication Manager would work because you will no longer be using the In-memory authentication and this class will be out of picture.
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
User user = this.securityProperties.getUser();
if (user.isDefaultPassword()) {
logger.info("\n\nUsing default security password: " + user.getPassword()
+ "\n");
}
Set<String> roles = new LinkedHashSet<String>(user.getRole());
withUser(user.getName()).password(user.getPassword()).roles(
roles.toArray(new String[roles.size()]));
setField(auth, "defaultUserDetailsService", getUserDetailsService());
super.configure(auth);
}
If you use inmemory authentication which is default, customize your logger configuration for org.springframework.boot.autoconfigure.security.AuthenticationManagerConfiguration and remove this message.
On spring boot 2 with webflux you need to define a ReactiveAuthenticationManager
I came across the same problem and adding this line to my application.properties solved the issue.
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
It's one of the Spring's Automatic stuffs which you exclude it like excluding other stuffs such as actuators. I recommend looking at this link
Just use the rows below:
spring.security.user.name=XXX
spring.security.user.password=XXX
to set the default security user name and password
at your application.properties
(name might differ) within the context of the Spring Application.
To avoid default configuration (as a part of autoconfiguration of the SpringBoot) at all - use the approach mentioned in Answers earlier:
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
or
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class })
It didn't work for me when I excluded SecurityAutoConfiguration using @SpringBootApplication annotation, but did work when I excluded it in @EnableAutoConfiguration:
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class })
Although it works, the current solution is a little overkill as noted in some comments. So here is an alternative that works for me, using the latest Spring Boot (1.4.3).
The default security password is configured inside Spring Boot's AuthenticationManagerConfiguration class. This class has a conditional annotation to prevent from loading if a AuthenticationManager Bean is already defined.
The folllowing code works to prevent execution of the code inside AuthenticationManagerConfiguration because we define our current AuthenticationManager as a bean.
@Configuration
@EnableWebSecurity
public class MyCustomSecurityConfig extends WebSecurityConfigurerAdapter{
[...]
@Override
protected void configure(AuthenticationManagerBuilder authManager) throws Exception {
// This is the code you usually have to configure your authentication manager.
// This configuration will be used by authenticationManagerBean() below.
}
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
// ALTHOUGH THIS SEEMS LIKE USELESS CODE,
// IT'S REQUIRED TO PREVENT SPRING BOOT AUTO-CONFIGURATION
return super.authenticationManagerBean();
}
}
If you have enabled actuator feature (spring-boot-starter-actuator), additional exclude should be added in application.yml:
spring:
autoconfigure:
exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
Tested in Spring Boot version 2.3.4.RELEASE.
Using Spring Boot 2.0.4 I came across the same issue.
Excluding SecurityAutoConfiguration.class
did destroy my application.
Now I'm using @SpringBootApplication(exclude= {UserDetailsServiceAutoConfiguration.class})
Works fine with @EnableResourceServer
and JWT :)
It is also possible to just turn off logging for that specific class in properties :
logging.level.org.springframework.boot.autoconfigure.security.AuthenticationManagerConfiguration=WARN
If you are using Spring Boot version >= 2.0 try setting this bean in your configuration:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().anyExchange().permitAll();
return http.build();
}
Reference: https://stackoverflow.com/a/47292134/1195507
To remove default user you need to configure authentication menager with no users for example:
@configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication();
}
}
this will remove default password message and default user because in that case you are configuring InMemoryAuthentication and you will not specify any user in next steps
For Reactive Stack (Spring Webflux, Netty) you either need to exclude ReactiveUserDetailsServiceAutoConfiguration.class
@SpringBootApplication(exclude = {ReactiveUserDetailsServiceAutoConfiguration.class})
Or define ReactiveAuthenticationManager bean (there are different implementations, here is the JWT one example)
@Bean
public ReactiveJwtDecoder jwtDecoder() {
return new NimbusReactiveJwtDecoder(keySourceUrl);
}
@Bean
public ReactiveAuthenticationManager authenticationManager() {
return new JwtReactiveAuthenticationManager(jwtDecoder());
}
Source: Stackoverflow.com