In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=false line to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?
I've already read Spring-Boot-Security-2.0 and security-changes-in-spring-boot-2-0-m4 and there is nothing regarding this property.
You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:
28.1 MVC Security
The default security configuration is implemented in
SecurityAutoConfigurationandUserDetailsServiceAutoConfiguration.SecurityAutoConfigurationimportsSpringBootWebSecurityConfigurationfor web security andUserDetailsServiceAutoConfigurationconfigures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of typeWebSecurityConfigurerAdapter(doing so does not disable theUserDetailsServiceconfiguration or Actuator’s security).
For example:
@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
}
To use the configuration only for a profile add @Profile to the class. If you want to enable it by property, add ConditionalOnProperty to the class.