ddd ddd - 1 month ago 31
reST (reStructuredText) Question

How to turn off Spring Security in Spring Boot Application

I have implemented authentication in my Spring Boot Application with Spring Security.

The main class controlling authentication should be websecurityconfig:

@Configuration
@EnableWebSecurity
@PropertySource(value = { "classpath:/config/application.properties" })
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


@Autowired
private RestAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(
SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/ristore/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(new SimpleUrlAuthenticationFailureHandler());
}


Since I am doing OAuth, I have
AuthServerConfig
and
ResourceServerConfig
as well. My main application class looks like this:

@SpringBootApplication
@EnableSpringDataWebSupport
@EntityScan({"org.mdacc.ristore.fm.models"})
public class RistoreWebApplication extends SpringBootServletInitializer
{
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedOrigins("*");
}
};
}
public static void main( String[] args )
{
SpringApplication.run(RistoreWebApplication.class, args);
}

protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(RistoreWebApplication.class);
}
}


Since we are doing code consolidation, we need to turn off authentication temporarily. However, I tried the following methods and nothing seems to work. I am still getting 401 when I hit these rest api urls.


  1. Comment out all the annotations in classes related to security including
    @Configuration
    ,
    @EnableWebSecurity
    . In Spring boot Security Disable security, it was suggested at the bottom adding
    @EnableWebSecurity
    will DISABLE auth which I don't think make any sense. Tried it anyway, did not work.

  2. Modify websecurityconfig by removing all the security stuff and only do
    http
    .authorizeRequests()
    .anyRequest().permitAll();



Disable Basic Authentication while using Spring Security Java configuration. Does not help either.


  1. Remove security auto config

    @EnableAutoConfiguration(exclude = {
    org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
    org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})



like what they did in disabling spring security in spring boot app. However I think this feature only works with
spring-boot-actuator
which I don't have. So didn't try this.

What is the correct way disable spring security?

Answer

As @Maciej Walkowiak mentioned, you should do this for your main class:

@SpringBootApplication(exclude = org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class)
public class MainClass {