I authenticated in my Spring boot application with Spring protection.
The primary authentication that controls the class should be websecurityconfig:
@Configuration @EnableWebSecurity @PropertySource(value = { "classpath:/config/application.properties" }) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private RestAuthenticationSuccessHandler authenticationSuccessHandler; @Autowired private RestAuthenticationEntryPoint restAuthenticationEntryPoint; @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .and() .csrf().disable() .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .and() .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/logout").permitAll() .antMatchers("/ristore/**").authenticated() .anyRequest().authenticated() .and() .formLogin() .successHandler(authenticationSuccessHandler) .failureHandler(new SimpleUrlAuthenticationFailureHandler()); }
Since I am doing OAuth, I have AuthServerConfig and ResourceServerConfig . My main application class is as follows:
@SpringBootApplication @EnableSpringDataWebSupport @EntityScan({"org.mdacc.ristore.fm.models"}) public class RistoreWebApplication extends SpringBootServletInitializer { @Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurerAdapter() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**").allowedOrigins("*"); } }; } public static void main( String[] args ) { SpringApplication.run(RistoreWebApplication.class, args); } protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { return application.sources(RistoreWebApplication.class); } }
Since we are doing code consolidation, we need to temporarily disable authentication. However, I have tried the following methods and nothing works. I still get 401 when I click on these other api url.
Comment on all annotations in security-related classes, including @Configuration , @EnableWebSecurity . In the Spring boot Security Disable security , it was suggested at the bottom to add @EnableWebSecurity auth will be disabled, which, I think, makes no sense. I tried it anyway, it didnβt work.
Modify websecurityconfig by deleting all security materials and do http .authorizeRequests() .anyRequest().permitAll();
Disable basic authentication when using the Spring Java Security Configuration . Does not help.
Delete automatic security configuration
@EnableAutoConfiguration (exclude = {org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})
like what they did in disabling Spring security in a Spring boot application . However, I think this feature only works with spring-boot-actuator , which I don't have. So I have not tried this.
What is the right way to disable Spring Security?
source share