I would like to disable one of the Spring Security filters in security chain.
I have already saw Prevent Spring Boot from registering a servlet filter question - and accepted should work but, unfortunately is not.
With code:
@Bean
public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
Spring Boot will promptly announce there is no qualifying bean, which is sad:
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
After creating another bean:
@SuppressWarnings("deprecation") // Oh, there be dragons
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
return new AnonymousAuthenticationFilter();
}
I am attacked with
Caused by: java.lang.IllegalArgumentException: [Assertion failed] - this String argument must have length; it must not be null or empty
Which is entirely understable; Assert
s in afterPropertiesSet()
method https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java are preventing me from using default constructor. Using another approach:
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
// it will be disabled anyway so...
return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
}
Everything is way nicer:
INFO 4916 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Filter anonymousAuthenticationFilter was not registered (disabled)
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully
But after accessing some resource I got:
DEBUG 4916 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 6B9D974A4634548750FE78C18F62A6B0; Granted Authorities: ROLE_ANONYMOUS'
For some reason AnonymousAuthenticationFilter is still working. The question: Is there a way to disable such filters in Spring Boot application?
enabled=false and management. security. enabled=false should be set to disable the security.
In Spring Boot 2, if we want our own security configuration, we can simply add a custom WebSecurityConfigurerAdapter. This will disable the default auto-configuration and enable our custom security configuration.
Run the app using: ./gradlew bootRun . Navigate to the home endpoint, which is open: http://localhost:8080 . And the restricted endpoint, which requires authentication: http://localhost:8080/restricted . When Spring's login form appears, don't forget you can use the default credentials.
Spring Security bundles all of the Filters within the HttpSecurity
configuration. To disable anonymous authentication use the following:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
...
}
...
}
If you want to disable all of the defaults within Spring Security you can pass true into the parent class constructor to disable defaults. For example:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public SecurityConfig() {
super(true);
}
...
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With