This question already has answers here:
Spring Boot 2.0.x disable security for certain profile
(7 answers)
Closed 4 years ago.
My spring boot version is 2.0.5.RELEASE.
I have been getting default login page when added the spring security dependency. I don't want to remove the spring security dependency but want to disable this login for certain time. I have tried to add them
security.ignored=/**
in application.properties file but it is not supporting it. It says that it is deprecated.
I want to add these disabling properties in the application.properties file but not getting the solution.
I usually add extra configuration, for allow access:
#Configuration
public class SecurityDisableConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(final HttpSecurity http) throws Exception {
http.cors().disable()
.csrf().disable()
.httpBasic().disable()
.authorizeRequests().antMatchers("/**").permitAll();
}
}
Related
We are migrating our legacy application, which runs on a deployed Java application server (Tomcat, Glassfish) to Spring Boot. The legacy application has a login JSP page which defines a form with a action="j_security_check" endpoint, which integrates with the application server's security infrastructure.
In the new application, we have overridden WebSecurityConfigurerAdapter and can successfully use form based authentication against our LDAP server. However, we are presented with the default Spring security login page. How can we configure Spring Boot to use our original login JSP?
Thanks
You need spring mvc not just general spring boot to be able to serve jsp files.
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll();
}
// ...
}
Don't forget the
.loginPage("/login").permitAll(); as you want your login page to be open to all users who try to authenticate.
Here is the documentation spring doc custom login page
Also make sure that you have a controller that serves your login_jsp for the path /login
I'm migrating an application from Spring Boot 1.5 to 2.0.5.
I have a property set as security.enable-csrf=true in 1.5 version which is not available in 2.0 version of Spring Boot.
I read the documents and it is said that in Spring Boot 2.0:
CSRF protection is enabled by default in the Java configuration.
So by default it is enabled ok fine, but there is also one class created which extends WebSecurityConfigurerAdapter this means Spring Boot default security configuration has been turned off. Is this also means security.enable-csrf is disabled now?
If yes how do I enable it like I had it in the application for 1.5 version.
I didn't get any document which gives a clear confirmation on how to handle security.enable-csrf property in Spring Boot 2.0 and while declaring the WebSecurityConfigurerAdapter.
Does anyone know about it? Also any document link which I have missed to read about this would be great help.
In order to have backward compatibility with the property already been set in you application, security.enable-csrf=true, you can use the following code:
#EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
#Value("${security.enable-csrf}")
private boolean csrfEnabled;
#Override
protected void configure(HttpSecurity http) throws Exception {
if (!csrfEnabled) {
http.csrf().disable();
}
}
}
As you might guess the magic comes from http.csrf().disable(); that
in the above code you can control enabling/disabling it by the
property you have set in you application.properties file.
More Info:
For more details you can also refer to the spring documents:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf
WebSecurityConfigurerAdapter is an abstract class, when you create a class which extends WebSecurityConfigurerAdapter, you will override void configure(HttpSecurity http) method.
You can disable csrf in this method, like that;
http.csrf().disable();
You can read this comment on top of the csrf() method (in HttpSecurity class).
Adds CSRF support. This is activated by default when using
WebSecurityConfigurerAdapter's default constructor. You can disable it ...."
This comment says that, when you extends this class, default constructor of WebSecurityConfigurerAdapter works and csrf is activated.
I recently upgraded from Spring Boot 1.x to Spring Boot 2.0.3 and I am trying to disable basic auth with no success.
#Configuration
#EnableWebSecurity(debug=true)
#EnableGlobalMethodSecurity(securedEnabled = true)
public class CustomSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.httpBasic().disable();
// the rest of my config
}
}
What hidden gem am I missing to just simply turn off basic auth?
Why does turning things off in Spring need to be so difficult now?
I was reading this:
https://github.com/spring-projects/spring-boot/issues/10306
and I have to agree that it should be much easier and a clearer explanation should be provided on how to turn this off.
EDIT
This link https://spring.io/blog/2017/09/15/security-changes-in-spring-boot-2-0-m4 talks about how the property was removed but doesn't say anything about how to continue to use the configuration as it exists in current application that utilize it.
I updated an already existing application from Spring Boot 1.3 to 2.0.1. This application makes use of the Actuator and exposes a REST-style API.
In Boot 1.3 the API could be used without authentication and the actuator endpoint was configured to be password protected:
security.user.name=foo
security.user.password=bar
security-user.role=ADMIN
I updated this like documented in the configuration changelog and renamed the entries from security.user.name to spring.security.user.name and alike.
But when I try to curl my API, I am denied because I do not provide credentials:
In the Spring Blog I found a possible solution how to configure Spring Security on a detailled level:
http
.authorizeRequests()
// 1
.requestMatchers(EndpointRequest.to("status", "info"))
.permitAll()
// 2
.requestMatchers(EndpointRequest.toAnyEndpoint())
.hasRole("ACTUATOR")
// 3
.requestMatchers(StaticResourceRequest.toCommonLocations())
.permitAll()
// 4
.antMatchers("/**")
.hasRole("USER")
.and()
...
but this is more fine-grained than I need and I am looking for an application.properties based solution.
Is there a way to solve this without additional code ?
When you set spring.security.user.name and spring.security.user.password, you are configuring form login via spring-security for the whole application, including the Actuator endpoints.
Unfortunately, in Spring Boot 2.0 you cannot set a different username/password or disable authentication for the Actuator endpoints using the properties. This means you have to explicitly allow the actuator endpoints through Security configuration.
Through spring-security, you can also allow public access to your endpoints and require credentials for the actuator endpoints very easily:
#Configuration
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ACTUATOR")
.anyRequest().permitAll();
}
}
(I assumed you were using WebMvc, not WebFlux, which is a bit different)
Verify that you have the following in the application.properties:
spring.security.user.name=user
spring.security.user.password=pass
spring.security.user.roles=ACTUATOR,USER # and others, if you like
management.endpoint.health.roles=ACTUATOR
See here for a quick and nice explanation between the differences in Actuator in Spring 1.x vs 2.0.
For Spring Boot 2.0, when we override the configure method of WebSecurityConfigurerAdapter all existing security backs off and we can provide our custom security. In your case you just need to authenticate the actuator endpoints, which can be done as follows:
#Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/actuator/**").authenticated();
}
}
No changes are required in the application.properties file.
I followed https://spring.io/guides/gs/producing-web-service/ to implement simple webservice using Spring. Everything works like expected. Now I am trying to add http basic authentication to it using javaconfig. How should I proceed? I found some links where #EnableWebSecurity was used however nothing seems to work... Service responds without authentication...
Just create a Spring Security config file like this:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("ROLE_USER");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
Here's a notice tutorial to follow up: http://www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/
Based on the tags you added to the question I see you are exposing the SOAP service using Spring Boot. In that case just add the spring-boot-starter-security Spring Boot starter project as a dependency. This will include Spring Security and by default ‘basic’ authentication is added on all HTTP endpoints (including your SOAP service).
By default a random password is generated at startup but you can configure your own user name/password using Spring Boot security properties.
If would like more information, I created a blog post which illustrates how to setup Spring WS basic authentication using Spring Boot.