Spring boot and Spring Actuator - disable security

Question

I am using spring-boot 1.3.1 and spring-boot-actuator in my application. I am using the spring-boot-starter-parent as the parent in pom.xml.

To disable the security, I added 2 entries in my application.yml.

security:
  basic:
    enabled: false
management:
  security:
    enabled: false

It is still not disabling the basic security. I am seeing the default password in log file when I start the application in my local tomcat.

Answer 1

Basic security is disabled but Spring Boot configures the authentication manager with the default user/pass even after setting security.basic.enabled to false. But basic security is disabled. You can reconfigure the authenticationManager in order to override this behavior, like following:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    @Autowired
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                    .withUser("me").password("secret").roles("ADMIN");
    }
}