Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not possible to disable security with @ConditionalOnProperty anymore

See original GitHub issue

Overall - I really like/prefer the new 2.0 security integration. The only issue is how can security be enabled/disabled via configuration.

In 1.5.x - security could be enabled / disabled via property. Unfortunately @ConditionalOnProperty seems to keep class available , so the new SpringBootWebSecurityConfiguration, @ConditionalOnClass(WebSecurityConfigurerAdapter.class) seems to find it any way, and configures default settings (http basic, everything protected, etc).

While debugging - I removed the @Configuration from MySecurityConfiguration , and security was not applied. So if there is some conditional way to @Import the file - that might also work.

Suggestions appreciated, Peter

Works in 1.5.x:

@Configuration
@ConditionalOnProperty ( "my.security.enabled" )
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
     <working config>
}

Workaround for 2.x: Add an additional configuration with ! property, and ignore all

@Configuration
@ConditionalOnProperty (  name = "my.security.enabled", havingValue = "false" )
public class MySecurityDisabledConfiguration extends WebSecurityConfigurerAdapter {

	public void configure ( WebSecurity web ) throws Exception {
		web.ignoring().anyRequest() ;

	}
}

Spring default handler:

@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {

	@Configuration
	@Order(SecurityProperties.BASIC_AUTH_ORDER)
	static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {

	}

}

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

4reactions
peterdnightcommented, Mar 5, 2018

Thanks for suggestions and links. After playing with the exclude option - desired behavior is occurring. I switched to the following convention, to enable security to be completely configuration driven using a single property. I was concerned that there would be potential for ordering issues - but my unit tests are all passing.

  • Disable Security on the entire application by default:
@SpringBootApplication ( exclude = {SecurityAutoConfiguration.class} )
@Import(MySecurityConfiguration.class)
public class MyApplication{
 }

Then in my security configuration:

@Configuration
@ConditionalOnProperty (  "my.security.enabled" )
@Import ( SecurityAutoConfiguration.class 
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

}
1reaction
thephwcommented, Jul 17, 2019

FWIW, worked a similar solution using profiles for configuring secure and insecure profiles.

The secure profile loads OAUTH2 config from environment variables for real operation. The insecure profile skips auth for integration tests with an external service.

Put it all in a demo repo here: https://github.com/deftinc/spring_azure_ad_profile/

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to disabled spring-security by application.properties?
Solved with ConditionalOnProperty : @Configuration @ConditionalOnProperty("security.basic.enabled") public class WebSecurityConfig extends ...
Read more >
[Solved]-Spring Boot 2.0 disable default security-Springboot
I have leveraged @ConditionalOnProperty to load the following SecurityConfig.java class if I set spring.security.enabled property to false in my application.yml ...
Read more >
Spring Security plugin for camunda-run distribution
Reference : Not possible to disable security with @ConditionalOnProperty anymore · Issue #12323 · spring-projects/spring-boot · GitHub.
Read more >
Contexts and Dependency Injection - Quarkus
Quarkus DI solution (also called ArC) is based on the Contexts and Dependency Injection for Java 2.0 specification. However, it is not a...
Read more >
spring-projects/spring-security - Gitter
Does Spring Security support Authorization Server working with Webflux and Netty? ... anymore, but rather create beans with SecurityWebFilterChain , but not ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Migrating to Spring Boot 2 from 1.5.7 breaks OAuth2 security

Next page

Binding to a collection passes in the current instance to the setter