1. Overview
Spring Security is a powerful, highly customizable authentication and access-control framework for Java applications. We’ll outline the purpose of Spring Security and some common scenarios where disabling it might be necessary, such as during development, testing, or when using a custom security mechanism.
This article will guide us through the steps to disable Spring Security in a Spring Boot application while ensuring that the configurations are easy to manage and revert. We’ll also provide here code samples that we can refer to in our projects, complete with unit tests to demonstrate their behavior. In this tutorial, we’ll discuss the basic concepts necessary for understanding how to disable Spring Security in a Spring Boot application.
2. Disabling Spring Security
Depending on our application’s specific requirements, we can disable Spring Security in several ways. We’ll explore four common methods:
- using a custom security configuration
- leveraging Spring profiles
- removing Spring Security Dependency
- excluding Spring Security auto-configuration
Before we discuss the different strategies for disabling Spring Security, let’s set up a simple Spring Boot application through Spring Initializr that we’ll use throughout the guide. We’ll create a minimal Maven-based Spring Boot project with a single controller that will serve as our test endpoint:
@RestController
@RequestMapping("/api")
public class PublicController {
@GetMapping("/endpoint")
public ResponseEntity<String> publicEndpoint() {
return ResponseEntity.ok("This is a public endpoint.");
}
}3. Using a Custom Security Configuration
One of the most straightforward ways to disable Spring Security is by creating a custom security configuration class. This method involves defining and configuring a SecurityFilterChain bean to allow all requests without authentication:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
.csrf(AbstractHttpConfigurer::disable);
return http.build();
}4. Leveraging Spring Profiles
Spring profiles allow us to configure different environments for our application. We can use profiles to disable security in certain environments, such as development or testing. Create a new profile-specific properties file, for example, application-dev.properties, and add the following line:
server.port= 8080
spring.profiles.active=dev
spring.application.name=spring-security-noauth-profileNow, create the new Java class named DevSecurityConfiguration. This class is specifically configured for the “dev” profile in a Spring Boot application. It allows unrestricted access to all endpoints by permitting all requests. This is useful during dev phases to simplify testing and debugging without security constraints:
@Profile("dev")
public class DevSecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
return http.build();
}
}Along with the above configuration, we’ll define another security configuration class that applies when the dev profile is not active. This configuration enables authentication and allows restricted access to all endpoints:
@Profile("!dev")
public class SecurityConfiguration {
@Bean
SecurityFilterChain httpSecurity(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.formLogin(withDefaults())
.httpBasic(withDefaults());
return http.build();
}
}When we run the application in the development environment using the dev profile, all requests will be allowed without authentication. However, when the application runs using any profile other than dev, our application requires authentication for any kind of request.
5. Removing Spring Security Dependency
The simplest way to disable Spring Security is to remove its dependency from the project. By doing this, we’ll remove all security-related configurations and defaults provided by Spring Security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>...</version>
</dependency>Removing this dependency eliminates all Spring Security features from the application.
6. Excluding Spring Security Auto-Configuration
Spring Boot automatically configures security when we include spring-boot-starter-security in our classpath. To disable it, exclude the auto-configuration by adding the following property to application.properties:
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfigurationIf we want to disable Spring Security completely, we should use spring.autoconfigure.exclude without creating a SecurityConfiguration class. Manually configuring the Spring Security class overrides the application.properties configuration, so exclusion in the application.properties has no effect when both are used together.
7. Testing Without Security
We can verify that we have disabled security by starting the application and accessing the endpoints locally. Bring the spring boot application up and running, and we’ll see the below response when we try to access the REST endpoint:
We can programmatically verify that security is disabled by writing JUnit tests using the MockMvc library.
7.1. Unit Test for Custom Security Configuration
Here is a sample unit test to verify that the security configuration allows unrestricted access:
public class CommonSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenSecurityIsDisabled_thenAllEndpointsAreAccessible() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isOk());
}
}7.2. Unit Test for Application Profiles
We write two separate tests to verify that our security behaves differently based on active profiles. Here’s a unit test for the dev profile when security is disabled:
@ActiveProfiles("dev")
public class DevProfileSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenDevProfileIsActive_thenAccessIsAllowed() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isOk());
}
}Here’s a unit test for the non–dev profile when security is enabled:
public class NonDevProfileSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenNonDevProfileIsActive_thenAccessIsDenied() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isUnauthorized());
}
}8. Conclusion
In this article, we discussed various methods for disabling Spring Security in a Spring Boot application, each suited for different scenarios. Whether we use a custom security configuration or leverage Spring profiles, the approach should align with our development and deployment needs. By following the steps outlined in this article, we can ensure that our application remains flexible and easy to manage, especially during the development and testing phases.
Always remember to re-enable security in production environments to maintain the integrity and safety of our application. As always, the code for these examples is available over on GitHub.
The post Guide to Disable Spring Security first appeared on Baeldung.
