In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=false
line to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?
I've already read Spring-Boot-Security-2.0 and security-changes-in-spring-boot-2-0-m4 and there is nothing regarding this property.
You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:
28.1 MVC Security
The default security configuration is implemented in
SecurityAutoConfiguration
andUserDetailsServiceAutoConfiguration
.SecurityAutoConfiguration
importsSpringBootWebSecurityConfiguration
for web security andUserDetailsServiceAutoConfiguration
configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of typeWebSecurityConfigurerAdapter
(doing so does not disable theUserDetailsService
configuration or Actuator’s security).
For example:
@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
}
To use the configuration only for a profile add @Profile
to the class. If you want to enable it by property, add ConditionalOnProperty
to the class.