Spring Boot 2.0.x disable security for certain profile

java spring-boot spring-security

In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=false line to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?

I've already read Spring-Boot-Security-2.0 and security-changes-in-spring-boot-2-0-m4 and there is nothing regarding this property.


Solution 1:

You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:

28.1 MVC Security

The default security configuration is implemented in SecurityAutoConfiguration and UserDetailsServiceAutoConfiguration. SecurityAutoConfiguration imports SpringBootWebSecurityConfiguration for web security and UserDetailsServiceAutoConfiguration configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of type WebSecurityConfigurerAdapter (doing so does not disable the UserDetailsService configuration or Actuator’s security).

For example:

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
               .antMatchers("/**");
    }
}

To use the configuration only for a profile add @Profile to the class. If you want to enable it by property, add ConditionalOnProperty to the class.

Solution 2:

Here is how I ended up solving the problem. Here is an example of how my security config looked in Spring Boot 1.5.x. Security was disabled with property security.basic.enabled=false:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/upload/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

Since security.basic.enabled was removed in Spring Boot 2 (but still reserved as property name), I ended up using security.enabled as a custom property. Here's an example of how my config looks in Spring Boot 2:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${security.enabled:true}")
    private boolean securityEnabled;

    @Override
    public void configure(WebSecurity web) throws Exception {
        if (securityEnabled)
            web.ignoring().antMatchers("/upload/**");
        else
            web.ignoring().antMatchers("/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (securityEnabled)
            http.csrf().disable().authorizeRequests()
                    .anyRequest().authenticated()
                    .and().httpBasic();
    }
}

Solution 3:

There is another option to disable security in spring boot 2

@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})

Add this over the main class

Related

Access Network Folder using Different User Credential
can localhost be spoofed?
Tracking progress with xargs
Entity Framework 4 Delete Object from entity collection
SSH home directory per subdomain
Disallowing HTTP methods on Tomcat is case sensitive?
How to convert a Unicode character to its ASCII equivalent
GPG error; The following signatures were invalid KEYEXPIRED [duplicate]
Installing openjdk 11 on alpine:3.9
Why is fseek or fflush always required between reading and writing in the update modes?
How to downsample images correctly?
Connect By Prior Equivalent for MySQL