Disable Spring Security in Spring Boot

Learn to partially or fully disable the Spring security in Spring boot application based on the selected runtime profile. We can use this example to override the security configuration in different runtime profiles.

1. Disable Spring Security for a Profile

To fully disable the spring security for a runtime profile, we can create the following configuration in our application. This configuration will ignore the security configuration for all kinds of URLs in psdev environment.

@Profile("psdev")
@Configuration
@Component("disableSecurityConfigurationBean")
@Order(value = Ordered.HIGHEST_PRECEDENCE)
public class DisableSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        	.ignoring()
        	.antMatchers("/**");
    }

    //OR - Use any one of these two methods

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
        	.authorizeRequests()
        	.antMatchers("/")
        	.permitAll();
    }
}

Notice the @Order(value = Ordered.HIGHEST_PRECEDENCE) annotation. We have given it the highest priority applicable in psdev environment so if there are other security-related configuration entries applicable to all environments, we can override the WebSecurity configuration in psdev environment.

The @Order annotation is useful if we have multiple WebSecurityConfigurerAdapter implementations in our application. We first decide the ordering of configurations based on requirements and assign the corresponding precedence in @Order annotations.

We can run the application using the following command to apply a runtime profile:

mvn spring-boot:run -Dspring-boot.run.profiles=psdev

2. Disable Spring Security using Properties Configuration

This is also possible to enable, disable or customize the spring security configuration based on the properties entry. The property value can be set differently in different runtime profiles thus each profile can have finer control over the applicable security configuration.

In the given example, we have a property application.security.disabled that can have a boolean value. Based on its value, we can apply different configurations or even disable the configuration.

@Configuration
@EnableWebSecurity
public class CustomSecurityConfiguration 
	extends WebSecurityConfigurerAdapter {

	@Value("${application.security.disabled:false}")
	private boolean securityDisabled;

	@Override
	public void configure(WebSecurity web) throws Exception {
	     
	   if (securityDisabled){ 
	      //config one
	    }
	    else{
	      //config two
	    }  
	}
}

We can either configure this property key/value in a profile-specific properties file or we can pass it through server startup parameters.

mvn spring-boot:run -Dapplication.security.disabled=true

3. Conclusion

In this tutorial, we learned to enable or disable the spring security for a spring boot application. We learned to enable or disable the configuration using either the @Profile annotation or passing a property as a startup argument.

Happy Learning !!

Leave a Reply

0 Comments
Inline Feedbacks
View all comments

About Us

HowToDoInJava provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions, and frequently asked interview questions.