Switch off Spring Boot security for good

It looks soooo basic that the Spring documentation thought it deserves one single row of text – which I quote here:

89.1 Switch off the Spring Boot Security Configuration
If you define a @Configuration with a WebSecurityConfigurerAdapter in your application, it switches off the default webapp security settings in Spring Boot.

Well, not exactly. You define that thing and… nothing remarkable happens: you get the same generated security password and the same login form greets you when you access your pages. Ack. Stackoverflow and many blog posts come up with all kinds of long and so obviously copy-n-pasted solutions… ugly ugly ugly. What then?

Turns out, the missing bit was that you should OVERRIDE the configuration functions so they actually do nothing: no authentication manager (so no generated passwords thank you) and no HTTP security – at all. And of course tell Spring it’s web security you’re talking about. This being said, your new bean will look like this:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {}

  @Override
  protected void configure(final HttpSecurity http) throws Exception {}
}
This entry was posted in hands-on and tagged , , , . Bookmark the permalink.

4 thoughts on “Switch off Spring Boot security for good

  2. Pingback: Java Weekly, Issue 254 | Baeldung

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.