Spring boot Security Disable security

When I use security.basic.enabled=false to disable security on a Spring Boot project that has the following dependencies:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>com.oracle</groupId>
        <artifactId>ojdbc6</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

I see the following Exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration$ManagementWebSecurityConfigurerAdapter': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.setObjectPostProcessor(org.springframework.security.config.annotation.ObjectPostProcessor); nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.config.annotation.ObjectPostProcessor] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}

In order to fix this exception I had to add the property - management.security.enabled=false . My understanding is that when the actuator is in the classpath, both security.basic.enabled=false and management.security.enabled=false should be set to disable the security.

Could someone please let me know if my understanding is wrong?

spring-security spring-boot

shareimprove this question

edited Apr 25 '16 at 17:46 approxiblue 4,591122845

asked May 27 '14 at 16:03 user3600073 1631211

1

Why do you need security on your classpath if you just want to disable everything? Anyway, your stack trace is incomplete so there is no way to know what was preventing the app from starting. I would expect it would start, but the actuator endpoints should stay secure until you explicitly open them up. – Dave Syer May 27 '14 at 17:41

@DaveSyer I would like to disable security temporarily and also my application code refers security jars to work. – Stackee007 Feb 19 '15 at 21:36

You still haven't posted enough information to see why the app isn't starting. A full stack trace would be a start. – Dave Syer Feb 20 '15 at 8:41

1

@DaveSyer One reason would be a microservice managing spring-sec-oauth2 ClientDetails. You'll have a transitive import of spring-security but maybe don't want basic auth in your service. – Dirk LachowskiOct 23 '15 at 15:52

add a comment

4 Answers

activeoldestvotes

up vote33down vote

In case you have spring-boot-actuator in your package, you should add the following

@EnableAutoConfiguration(exclude = {
        org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
        org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class})

With older Spring-boot, the class was called ManagementSecurityAutoConfiguration.

shareimprove this answer

edited Mar 3 at 20:59 Captain Man 2,15711439

answered Dec 9 '14 at 22:07 Varesh 468613

3

In Spring boot 1.3 the name seems to have changed to ManagementWebSecurityAutoConfiguration. – James Nov 25 '15 at 15:12

Thanks @James for pointing out, I have mentioned this in the answer now. – Varesh Dec 17 '15 at 9:25

add a comment

 

up vote19down vote

What also seems to work fine is creating a file application-dev.properties that contains:

security.basic.enabled=false
management.security.enabled=false

If you then start your Spring Boot app with the dev profile, you don't need to log on.

shareimprove this answer

answered Dec 8 '15 at 7:48 Wim Deblauwe 6,59743988

add a comment

up vote18down vote

If you need security as a dependency but don't want Spring Boot to configure it for you, you can use this exclusion:

    @EnableAutoConfiguration(exclude = { 
        org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class 
    })

shareimprove this answer

edited Jul 31 '15 at 17:28

answered Aug 5 '14 at 12:33 gyoder 1,18211223

Work perfectly for me. FYI - My app depends on security jars but I would like to temporarily disable security – Stackee007 Feb 19 '15 at 21:42

add a comment

up vote3down vote

In order to avoid security you can use annotations. Use this annotation on top of configure class: @EnableWebSecurity For example: @EnableWebSecurity @Configuration public class AuthFilter{ // configured method }