Disable Basic Authentication while using Spring Security Java configuration

spring security 401 unauthorized
disable spring security spring boot 2
spring boot security
spring security header authentication
spring security no authentication
spring security configuration
basicauthenticationentrypoint
spring boot security tutorial step by step

I am trying to secure a web application using Spring Security java configuration.

This is how the configuration looks:-

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private String googleClientSecret;

    @Autowired
    private CustomUserService customUserService;

    /*
     * (non-Javadoc)
     * 
     * @see org.springframework.security.config.annotation.web.configuration.
     * WebSecurityConfigurerAdapter
     * #configure(org.springframework.security.config
     * .annotation.web.builders.HttpSecurity)
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .and()
                .httpBasic().disable()
            .requiresChannel().anyRequest().requiresSecure();
        // @formatter:on
        super.configure(http);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        // @formatter:off
        auth
            .eraseCredentials(true)
            .userDetailsService(customUserService);
        // @formatter:on
        super.configure(auth);
    }
}

Notice that I have explicitly disabled HTTP Basic authentication using:-

.httpBasic().disable()

I am still getting HTTP Authenticaton prompt box while accessing a secured url. Why?

Please help me fix this. I just want to render the default login form that comes bundled.

Spring Boot Starter Version : 1.1.5 Spring Security Version : 3.2.5

Thanks

First of all, calling super.configure(http); will override whole your configuration you have before that.

Try this instead:

http
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .and()
    .httpBasic().disable();

Spring Security Basic Authentication, Set up Basic Authentication in Spring - the XML Configuration, the Error Messages, and We can configure Spring Security using Java config:. NoAuthSecurityConfig.java. @Profile(Profiles.NO_AUTH) annotation is used to disable authentication only when the application is run with “noauth” profile. NoAuthSecurityConfig class extends the WebSecurityConfigurerAdapter which is a convenience class that allows customization to both WebSecurity and HttpSecurity.

In case you use Spring Boot, the documentation states:

To switch off the Boot default configuration completely in a web application you can add a bean with @EnableWebSecurity

So if you want to fully customize itself that might be an option.

Just to make it clear... You just need to put @EnableWebSecurity annotation on your main application class or application configuration class.

Spring Boot Security Auto-Configuration, In order to add security to our Spring Boot application, we need to add Simply put, by default, the Authentication gets enabled for the Application. Also, content negotiation is used to determine if basic or formLogin should be used. There's a significant difference between disabling autoconfiguration and  Disable Basic Authentication while using Spring Security Java configuration. Does not help either. Remove security auto config @EnableAutoConfiguration (exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})

You can disable the formLogin through the HttpSecurity instance as follow:

http.authorizeRequests().antMatchers("/public/**").permitAll()
        .antMatchers("/api/**").hasRole("USER")
        .anyRequest().authenticated() 
        .and().formLogin().disable();

This will lead receiving 403 Http error when trying to access any secured resource

How to enable HTTP Basic Authentication in Spring , Thursday, July 11, 2019. How to enable HTTP Basic Authentication in Spring Security using Java and XML Config. In the  How to Disable Spring Boot Security In this post, we will discuss how to disable security on a Spring Boot project without removing security dependency from the application. To secure our Spring Boot application, we can add the spring-boot-starter-security dependency to pom.xml , as shown in the following example:

Anonymous option worked for me. My code like

  http.csrf().disable().headers().frameOptions().sameOrigin().and().
   authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();

Spring Security Basic Authentication Configuration Example, We demonstrate this by configuring Spring Security using both Java and XML Configuration. Unit testing. How to Disable/Skip @Required Annotation For Class Basic authentication is mainly used in web applications. In this article we will build a basic authentication with Spring Security for REST API. Our secure REST API will ask for basic authentication before providing data access to the REST client. 1. Maven Setup. To secure our REST API, we need to include spring security starter in the pom.xml file.

Suitable for Spring Boot or folks using OAuth

@Profile("test")
@EnableWebSecurity
static class BasicWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
    }
}

If you are using @EnableOAuth2Client or @EnableResourceServer, then in test profile switch to basic auth and then disable the same. In Spring Boot,to switch off the spring security default configuration completely in a web application you need to add a bean with @EnableWebSecurity

How to Disable Spring Boot Security, Disable Basic Authentication while using Spring Security Java configuration. spring security basic authentication disable spring security spring boot 2 spring  see the spring security docs for further clarification: Spring Security. The basic idea is that the @Order annotation will dictate what order the auth schemes are run. No @Order means that it is last. If the authorizeRequests() section cannot match on the incoming URL then that configuration will pass and the next one will attempt authentication.

Basic Authentication with Spring Security, In this post, we will discuss how to disable security on a Spring Boot project protected void configure(AuthenticationManagerBuilder auth) throws Exception {. //. Please use our online compiler to post code in comments using C, C++, Java​,  Configure basic-auth in spring security configuration. In our employee management application created in Spring login form based security example, we created login form manually and configured them for various URL patterns. Lets modify it to use http basic authentication. Our modified application-security.xml will look like this now.

Spring Security: Authentication and Authorization In-Depth, There are multiple things taking place in the above code. Let's study details about the configure(HttpSecurity httpSecurity) method: Disable the  The Maven dependencies for Spring Security have been discussed before in the Spring Security with Maven article – we will need both spring-security-web and spring-security-config available at runtime. 6. Conclusion

Spring Boot Security HTTP Basic Authentication with in-memory users, You can use this guide to understand what Spring Security is and how its Luckily, there's a way to do exactly this in the Java web world: you can put filters in front of How to configure Spring Security: WebSecurityConfigurerAdapter On top of that, you are also allowing Basic Auth, i.e. sending in an  Spring Security: Intro with basic form login; Spring Security using MySQL and JDBC; Spring Security 5: JWT Authentication; Spring Security 5. If you are here for the first time, you should check out our earlier articles on Introduction to Spring Security 5 and authenticate users with JDBC. The previous articles explained the basics of Spring

Comments
  • add security.basic.enabled=false to your application.properties. Also you shouldn't be calling super.configure from your overridden method.
  • @M.Deinum That fixed it. But why it wasn't disabled when I explicitly disabled in java config?
  • You can have multiple WebSecurityConfigurer each contributing configuration to the overall configuration. It very well could be that you have a rest part of your website that is protected by basic auth and the normal site with a form. You could create 2 WebSecurityConfigurer one for rest and one for form. You also might want to checkout docs.spring.io/spring-boot/docs/current/reference/html/… (Spring Boot reference, security section).
  • @M.Deinum you don't need to call the original implementation in the *Configurer classes, they just implement all methods of the interface with an empty body, so you can just override what you want to use.
  • small correction.. should be .httpBasic().disable().
  • I apologize, but Im new to java, we are using jhipster with angular front and java back-end. Where do I insert this code? Is this in gateway? or micorservice? what file should be looking for? Thanks -
  • @GelSisaed that might be a separate question altogether. Generally, it depends on where you are doing your auth, but with jhipster, doing auth in the gateway is pretty typical, so that is where I would start. It also wouldn't be a bad idea to post your own question (with a jhipster tag) like "How do I disable HTTP Basic in JHipster?"
  • This didn't work for me (I put @EnableWebSecurity on my main Spring Boot class and extended WebSecurityConfigurerAdapter). What it actually means to 'add a bean with @EnableWebSecurity'?
  • This actually works. Best Answer of all.
  • This will not disable basic security, it will simply ignore the security checking for all requests.