Spring Boot 2.0 disable default security
I want to use Spring Security for JWT authentication. But it comes with default authentication. I am trying to disable it, but the old approach of doing this - disabling it
-
If you're extending
WebSecurityConfigurerAdapter, you can pass intrueto the super constructor to disable the defaults.
You may need to provide other beans if you do this./** * Creates an instance which allows specifying if the default configuration should be * enabled. Disabling the default configuration should be considered more advanced * usage as it requires more understanding of how the framework is implemented. * * @param disableDefaults true if the default configuration should be disabled, else * false */ protected WebSecurityConfigurerAdapter(boolean disableDefaults) { this.disableDefaults = disableDefaults; }If you want to disable it just for testing purposes - Rather than completely disabling the auto-configuration, I create an "InsecurityConfiguration" in addition to "SecurityConfiguration", and activate it with either a Spring Profile or Property value.
Technically security is still configured, but wide open.
@Configuration @ConditionalOnProperty(prefix = "security", value = "disabled", havingValue = "true") public class InsecurityConfiguration extends WebSecurityConfigurerAdapter { private final static Logger log = LoggerFactory.getLogger(InsecurityConfiguration.class); @Override protected void configure(HttpSecurity http) throws Exception { log.warn("configuring insecure HttpSecurity"); http.authorizeRequests().anyRequest().permitAll(); } @Override public void configure(WebSecurity web) throws Exception { log.warn("configuring insecure WebSecurity"); web.ignoring().antMatchers("/**"); } }Note This is for mvc, not webflux. For Webflux you should create a
SecurityWebFilterChainlike Bryan mentioned.This is how I generally disable basic auth in webflux, when using JWT -
@Bean public SecurityWebFilterChain configure(ServerHttpSecurity http) { http .authorizeExchange().anyExchange().authenticated().and() .httpBasic().disable() .formLogin().disable() .logout().disable() .oauth2ResourceServer() .jwt() .and() .and().exceptionHandling().accessDeniedHandler(problemSupport); return http.build(); }讨论(0) -
In Spring boot 2, there is no way to disable basic authentication by application.properties file. But the only thing is use annotation
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})in the main class. It works
讨论(0) -
According to the reference documentation, the Security configuration for allowing all requests with WebFlux should look like this:
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; @Configuration public class SecurityConfig { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.authorizeExchange().anyExchange().permitAll(); return http.build(); } }讨论(0) -
If anyone is struggling with this in a WebFlux based application, or a Spring Cloud Gateway application, the below worked for me:
@EnableWebFluxSecurity public class InsecurityConfiguration { // @formatter:off @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().permitAll(); return http.build(); } }讨论(0) -
This worked for me:
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().anyRequest().permitAll(); } }讨论(0)
加载中...
- 热议问题