Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Boot 2.0.x disable security for certain profile

In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=false line to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?

I've already read Spring-Boot-Security-2.0 and security-changes-in-spring-boot-2-0-m4 and there is nothing regarding this property.

like image 291
leonz Avatar asked Mar 13 '18 14:03

leonz


2 Answers

Spring Boot 2.1.3

For a certain profile "dev"

Create a new Spring Configuration class

@Configuration
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
@Profile("dev")
public class WebSecurityConfigDisable  {

}

This will disable the spring security.

like image 173
Madhu Tomy Avatar answered Sep 24 '22 19:09

Madhu Tomy


Here is how I ended up solving the problem. Here is an example of how my security config looked in Spring Boot 1.5.x. Security was disabled with property security.basic.enabled=false:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/upload/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .anyRequest().authenticated()
                .and().httpBasic();
    }
}

Since security.basic.enabled was removed in Spring Boot 2 (but still reserved as property name), I ended up using security.enabled as a custom property. Here's an example of how my config looks in Spring Boot 2:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${security.enabled:true}")
    private boolean securityEnabled;

    @Override
    public void configure(WebSecurity web) throws Exception {
        if (securityEnabled)
            web.ignoring().antMatchers("/upload/**");
        else
            web.ignoring().antMatchers("/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (securityEnabled)
            http.csrf().disable().authorizeRequests()
                    .anyRequest().authenticated()
                    .and().httpBasic();
    }
}
like image 27
leonz Avatar answered Sep 22 '22 19:09

leonz