disabling spring security in spring boot app [duplicate]

Question

I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).

I add this to the application.properties:

security.basic.enable: false    management.security.enabled: false   

Here is some part of my

But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.

My pom.xml :

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">     <modelVersion>4.0.0</modelVersion>     <groupId>fr.test.sample</groupId>     <artifactId>navigo</artifactId>     <version>1.0.0-SNAPSHOT</version>      <!-- Inherit defaults from Spring Boot -->     <parent>         <groupId>org.springframework.boot</groupId>         <artifactId>spring-boot-starter-parent</artifactId>         <version>1.3.1.RELEASE</version>     </parent>      <properties>         <java.version>1.7</java.version>         <jsoup.version>1.8.3</jsoup.version>         <guava.version>18.0</guava.version>         <postgresql.version>9.3-1103-jdbc41</postgresql.version>     </properties>      <!-- Add typical dependencies for a web application -->     <dependencies>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-web</artifactId>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-actuator</artifactId>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-thymeleaf</artifactId>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-mail</artifactId>         </dependency>         <dependency>             <groupId>org.springframework</groupId>             <artifactId>spring-context-support</artifactId>         </dependency>         <dependency>             <groupId>org.apache.velocity</groupId>             <artifactId>velocity</artifactId>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-devtools</artifactId>             <optional>true</optional>         </dependency>         <dependency>             <groupId>org.jsoup</groupId>             <artifactId>jsoup</artifactId>             <version>${jsoup.version}</version>         </dependency>         <dependency>             <groupId>com.google.guava</groupId>             <artifactId>guava</artifactId>             <version>${guava.version}</version>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-security</artifactId>         </dependency>         <dependency>             <groupId>org.springframework.boot</groupId>             <artifactId>spring-boot-starter-data-jpa</artifactId>         </dependency>         <dependency>             <groupId>org.postgresql</groupId>             <artifactId>postgresql</artifactId>             </dependency>     </dependencies>      <!-- Package as an executable jar -->     <build>         <plugins>             <plugin>                 <groupId>org.springframework.boot</groupId>                 <artifactId>spring-boot-maven-plugin</artifactId>             </plugin>         </plugins>     </build>      <!-- Add Spring repositories -->     <!-- (you don't need this if you are using a .RELEASE version) -->     <repositories>         <repository>             <id>spring-snapshots</id>             <url>http://repo.spring.io/snapshot</url>             <snapshots>                 <enabled>true</enabled>             </snapshots>         </repository>         <repository>             <id>spring-milestones</id>             <url>http://repo.spring.io/milestone</url>         </repository>     </repositories>     <pluginRepositories>         <pluginRepository>             <id>spring-snapshots</id>             <url>http://repo.spring.io/snapshot</url>         </pluginRepository>         <pluginRepository>             <id>spring-milestones</id>             <url>http://repo.spring.io/milestone</url>         </pluginRepository>     </pluginRepositories>  </project> 

The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :

//@Configuration //@EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true) //@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {     @Autowired     UserDetailsService userDetailsService;      @Autowired     UserService userService;      @Autowired     private DataSource datasource;      @Override     protected void configure(HttpSecurity http) throws Exception {         // http.authorizeRequests().antMatchers("/bus/topologie", "/home")         // http.authorizeRequests().anyRequest().authenticated()         // .antMatchers("/admin/**").access("hasRole('ADMIN')").and()         // .formLogin().failureUrl("/login?error")         // .defaultSuccessUrl("/bus/topologie").loginPage("/login")         // .permitAll().and().logout()         // .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))         // .logoutSuccessUrl("/login").permitAll().and().rememberMe()         // .rememberMeParameter("remember-me")         // .tokenRepository(persistentTokenRepository())         // .tokenValiditySeconds(86400).and().csrf();     }      @Bean     public PersistentTokenRepository persistentTokenRepository() {         JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();         tokenRepositoryImpl.setDataSource(datasource);         return tokenRepositoryImpl;     }      @Override     protected void configure(AuthenticationManagerBuilder auth)             throws Exception {          PasswordEncoder encoder = new BCryptPasswordEncoder();          auth.userDetailsService(userDetailsService).passwordEncoder(encoder);         auth.jdbcAuthentication().dataSource(datasource);          if (!userService.userExists("user")) {             User userAdmin = new User("user", encoder.encode("password"), true);             Set<Authorities> authorities = new HashSet<Authorities>();             authorities.add(new Authorities(userAdmin,"ADMIN"));             authorities.add(new Authorities(userAdmin,"CRIP"));             authorities.add(new Authorities(userAdmin,"USER"));             userAdmin.setAuthorities(authorities);              userService.createUser(userAdmin);         }     }  } 

Answer 1

Use security.ignored property:

security.ignored=/** 

security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered.

There is a default security password generated at startup

Try to Autowired the AuthenticationManagerBuilder:

@Override @Autowired protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }