Spring boot Security Disable security

Question

When I use security basic enabled false to disable security on a Spring Boot project that has the following dependencies        lt dependency gt           lt groupId gt org springframework boot lt  groupId gt           lt artifactId gt spring-boot-starter-web lt  artifactId gt       lt  dependency gt       lt dependency gt           lt groupId gt org springframework boot lt  groupId gt           lt artifactId gt spring-boot-starter-security lt  artifactId gt       lt  dependency gt       lt dependency gt           lt groupId gt org springframework boot lt  groupId gt           lt artifactId gt spring-boot-starter-actuator lt  artifactId gt       lt  dependency gt       lt dependency gt           lt groupId gt com oracle lt  groupId gt           lt artifactId gt ojdbc6 lt  artifactId gt       lt  dependency gt       lt dependency gt           lt groupId gt org springframework boot lt  groupId gt           lt artifactId gt spring-boot-starter-tomcat lt  artifactId gt           lt scope gt provided lt  scope gt       lt  dependency gt       lt dependency gt           lt groupId gt org springframework boot lt  groupId gt           lt artifactId gt spring-boot-starter-test lt  artifactId gt           lt scope gt test lt  scope gt       lt  dependency gt    I see the following Exception   org springframework beans factory BeanCreationException  Error creating bean with name  org springframework boot actuate autoconfigure ManagementSecurityAutoConfiguration ManagementWebSecurityConfigurerAdapter   Injection of autowired dependencies failed  nested exception is org springframework beans factory BeanCreationException  Could not autowire method  public void org springframework security config annotation web configuration WebSecurityConfigurerAdapter setObjectPostProcessor org springframework security config annotation ObjectPostProcessor   nested exception is org springframework beans factory NoSuchBeanDefinitionException  No qualifying bean of type  org springframework security config annotation ObjectPostProcessor  found for dependency  expected at least 1 bean which qualifies as autowire candidate for this dependency  Dependency annotations       In order to fix this exception I had to add the property - management security enabled false   My understanding is that when the actuator is in the classpath  both security basic enabled false and management security enabled false should be set to disable the security    Could someone please let me know if my understanding is wrong

User · Answer

Step 1  Comment annotation  EnableWebSecurity in your security config     EnableWebSecurity   Step 2  Add this to your application properties file   security ignored     spring security enabled false management security enabled false security basic enabled false   For more details look here  http   codelocation com how-to-turn-on-and-off-spring-security-in-spring-boot-application

User · Answer

I added below settings in application yml and worked fine    security      route-patterns-to-be-skipped        -         this can be converted as security route-paterns-to-be-skipped       for application properties

User · Answer

Add the below lines to your main app   Remove org activiti spring boot SecurityAutoConfiguration class if you re not using activiti   Similarly  remove the one for actuator if you re not using spring-boot-actuator     EnableAutoConfiguration exclude     org activiti spring boot SecurityAutoConfiguration class  org springframework boot actuate autoconfigure ManagementWebSecurityAutoConfiguration class  org springframework boot autoconfigure security SecurityAutoConfiguration class

User · Answer

You can configure to toggle spring security in your project by following below 2 steps   STEP 1    Add a  ConditionalOnProperty annotation on top of your SecurityConfig class  Refer below    Configuration  EnableWebSecurity  EnableGlobalMethodSecurity  prePostEnabled   true   ConditionalOnProperty  name    myproject security enabled   havingValue    true   matchIfMissing   true  public class SecurityConfig extends WebSecurityConfigurerAdapter         your security config     STEP 2  Add following config to your application properties or application yml file   application properties  security ignored     myproject security enabled false   OR  application yml  security    ignored       myproject    security      enabled  false

User · Answer

The easiest way for Spring Boot 2 without dependencies or code changes is just   spring    autoconfigure      exclude  org springframework boot autoconfigure security servlet SecurityAutoConfiguration

User · Answer

Permit access to everything using antMatchers            protected void configure HttpSecurity http  throws Exception               System out println  configure                        http csrf   disable                        http authorizeRequests   antMatchers      permitAll

User · Answer

For the spring boot 2 users it has to be   EnableAutoConfiguration exclude         org springframework boot autoconfigure security servlet SecurityAutoConfiguration class

User · Answer

I simply added security ignored    in the application properties and that did the charm

User · Answer

Add following class into your code  import org springframework context annotation Configuration  import org springframework security config annotation web builders HttpSecurity  import org springframework security config annotation web configuration EnableWebSecurity  import org springframework security config annotation web configuration WebSecurityConfigurerAdapter           author vaquar khan      Configuration  EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception            http authorizeRequests   antMatchers        permitAll   anyRequest   authenticated   and   csrf   disable               And insie of application properties add  security ignored     security basic enabled false management security enabled false

User · Answer

In case you have spring-boot-actuator in your package  you should add the following  EnableAutoConfiguration exclude             org springframework boot autoconfigure security SecurityAutoConfiguration class          org springframework boot actuate autoconfigure ManagementWebSecurityAutoConfiguration class    With older Spring-boot  the class was called ManagementSecurityAutoConfiguration  In newer versions this has changed to  SpringBootApplication exclude             org springframework boot autoconfigure security servlet SecurityAutoConfiguration class          org springframework boot actuate autoconfigure security servlet ManagementWebSecurityAutoConfiguration class             UPDATE If for reactive application you are having the same issue  you can exclude the following classes  SpringBootApplication exclude    ReactiveSecurityAutoConfiguration class  ReactiveManagementWebSecurityAutoConfiguration class

User · Answer

For Spring Boot 2 following properties are deprecated in application yml configuration    security basic enabled  false   management security enabled  false   To disable security for Sprint Boot 2 Basic   Actuator Security following properties can be used in application yml file instead of annotation based exclusion   EnableAutoConfiguration exclude    SecurityAutoConfiguration class  ManagementWebSecurityAutoConfiguration class       spring      autoconfigure        exclude 0   org springframework boot autoconfigure security servlet SecurityAutoConfiguration       exclude 1   org springframework boot actuate autoconfigure security servlet ManagementWebSecurityAutoConfiguration   For application properties syntax would be like  spring autoconfigure exclude 0  org springframework boot autoconfigure security servlet SecurityAutoConfiguration

User · Answer

What also seems to work fine is creating a file application-dev properties that contains   security basic enabled false management security enabled false   If you then start your Spring Boot app with the dev profile  you don t need to log on

User · Answer

In order to avoid security you can use annotations  Use this annotation on top of configure class    EnableWebSecurity   For example    EnableWebSecurity  Configuration public class AuthFilter        configured method

User · Answer

The only thing that worked for me        Override     protected void configure HttpSecurity http  throws Exception           http csrf   disable   authorizeRequests   anyRequest   permitAll            and  security ignored       Could be that the properties part is redundant or can be done in code  but had no time to experiment  Anyway is temporary

User · Answer

If you are using  WebMvcTest annotation in your test class   EnableAutoConfiguration exclude     SecurityAutoConfiguration class  ManagementWebSecurityAutoConfiguration class     TestPropertySource properties     spring autoconfigure exclude org springframework boot autoconfigure security servlet SecurityAutoConfiguration      doesn t help you   You can disable security here   WebMvcTest secure   false

User · Answer

If you need security as a dependency but don t want Spring Boot to configure it for you  you can use this exclusion        EnableAutoConfiguration exclude              org springframework boot autoconfigure security SecurityAutoConfiguration class

User · Answer

Answer is to allow all requests in WebSecurityConfigurerAdapter as below   you can do this in existing class or in new class    Override     protected void configure HttpSecurity http  throws Exception           http authorizeRequests   anyRequest   permitAll            Please note   If ther is existing GlobalMethodSecurityConfiguration class  you must disable it

User · Answer

You need to add this entry to application properties to bypass Springboot Default Security  spring autoconfigure exclude org springframework boot autoconfigure security SecurityAutoConfiguration  Then there won t be any authentication box  otrws  credentials are - user and 99b962fa-1848-4201-ae67-580bdeae87e9  password randomly generated   Note  my springBootVersion    1 5 14 RELEASE

User · Answer

As previously multiple solutions mentioned to disable security through commenting of       EnableWebSecurity   annotation and other is through properties in application properties or yml  But those properties are showing as deprecated in latest spring boot version   So  I would like to share another approach to configure default username and password in your application-dev properties or application-dev yml and use them to login into swagger and etc in development environment   spring security user name admin spring security user password admin   So  this approach will also provides you some kind of security as well and you can share this information with your development team  You can also configure user roles as well  but its not required in development level

[spring-security] Spring boot Security Disable security

Examples related to spring-security

Examples related to spring-boot