Switch off Spring Boot security for good

It looks soooo basic that the Spring documentation thought it deserves one single row of text – which I quote here:

89.1 Switch off the Spring Boot Security Configuration
If you define a @Configuration with a WebSecurityConfigurerAdapter in your application, it switches off the default webapp security settings in Spring Boot.

Well, not exactly. You define that thing and… nothing remarkable happens: you get the same generated security password and the same login form greets you when you access your pages. Ack. Stackoverflow and many blog posts come up with all kinds of long and so obviously copy-n-pasted solutions… ugly ugly ugly. What then?

Turns out, the missing bit was that you should OVERRIDE the configuration functions so they actually do nothing: no authentication manager (so no generated passwords thank you) and no HTTP security – at all. And of course tell Spring it’s web security you’re talking about. This being said, your new bean will look like this:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {}

  protected void configure(final HttpSecurity http) throws Exception {}

4 thoughts on “Switch off Spring Boot security for good

  1. Pingback: Java Weekly, Issue 254 | Baeldung

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.