Learn to partially or fully disable the Spring security in Spring boot application based on the selected runtime profile. We can use this example to override the security configuration in different runtime profiles.
1. Disable Spring Security for a Profile
To fully disable the spring security for a runtime profile, we can create the following configuration in our application. This configuration will ignore the security configuration for all kinds of URLs in psdev
environment.
@Profile("psdev")
@Configuration
@Component("disableSecurityConfigurationBean")
@Order(value = Ordered.HIGHEST_PRECEDENCE)
public class DisableSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
//OR - Use any one of these two methods
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/")
.permitAll();
}
}
Notice the @Order(value = Ordered.HIGHEST_PRECEDENCE) annotation. We have given it the highest priority applicable in psdev
environment so if there are other security-related configuration entries applicable to all environments, we can override the WebSecurity
configuration in psdev
environment.
The @Order
annotation is useful if we have multiple WebSecurityConfigurerAdapter
implementations in our application. We first decide the ordering of configurations based on requirements and assign the corresponding precedence in @Order
annotations.
We can run the application using the following command to apply a runtime profile:
mvn spring-boot:run -Dspring-boot.run.profiles=psdev
2. Disable Spring Security using Properties Configuration
This is also possible to enable, disable or customize the spring security configuration based on the properties entry. The property value can be set differently in different runtime profiles thus each profile can have finer control over the applicable security configuration.
In the given example, we have a property application.security.disabled
that can have a boolean
value. Based on its value, we can apply different configurations or even disable the configuration.
@Configuration
@EnableWebSecurity
public class CustomSecurityConfiguration
extends WebSecurityConfigurerAdapter {
@Value("${application.security.disabled:false}")
private boolean securityDisabled;
@Override
public void configure(WebSecurity web) throws Exception {
if (securityDisabled){
//config one
}
else{
//config two
}
}
}
We can either configure this property key/value in a profile-specific properties file or we can pass it through server startup parameters.
mvn spring-boot:run -Dapplication.security.disabled=true
3. Conclusion
In this tutorial, we learned to enable or disable the spring security for a spring boot application. We learned to enable or disable the configuration using either the @Profile
annotation or passing a property as a startup argument.
Happy Learning !!