Disable Security for a Profile in Spring Boot
Last Updated :
23 Apr, 2024
In Spring Boot, Spring Security is the crucial aspect of protecting the endpoints and resources. But in some cases, we need to disable security for certain profiles like during development or for specific testing scenarios. Disabling security for the profile allows us to bypass the security constraints and it can access the endpoints without the authentication and authorization of the Spring application.
Spring Security can be configured in the Spring Boot application using the various configurations and it can include the java configuration, XML configuration, or the annotations. To disable the security for the specific profile, the Spring Boot profile-specific configurations need to enable or disable the security based on the active profiles of the application.
Key Terminologies:
- UserDetailsService: This interface can be used to retrieve the user details such as username, password, and authorities from the data source and it can typically as the database of the application.
- SecurityContext: It can represent the security information associated with the current thread of the execution. It can typically contain the authenticated principal and any granted authorities of the application.
- Security Configuration: Configuration settings that can define the behavior of the Spring Security within the Spring Boot application. It includes specifying the authentication mechanisms, authorization rules and the other security related options.
- AuthenticationProvider: It is the interface for the authenticating the users based on the provided credentials. It can typically delegates the authentication process to one or more the configured the authentication mechanisms.
- Filter Chain: The filter chain is the responsible for the enforcing the security constraints and it can performing the authentication and authorization checks of the application.
Steps to Disable Security for a Profile in Spring Boot
We will develop a simple Spring application that demonstrate disable the security of the development profile of the Spring application.
Step 1: Create a spring project using spring initializer. On creating the project, add the below dependencies into the project.
Dependencies:
- Spring Web
- Spring Dev Tools
- Lombok
Project Structure:
Below we can see the project folder structure after successfully creation of the project.
Step 2: Now, open the application.properties file and put the below code for the server port and spring security credentials configuration to the project.
spring.application.name=spring-disable-security-demo
server.port= 8081
spring.security.user.name=admin
spring.security.user.password=admin
spring.profiles.active=development
Step 3: Open the application-development.properties file and put the below code for the server port and spring security credentials configuration to the project.
server.port= 8082
Step 4: Create a new package named config, in that package, create a new Java class and it named as SecurityConfig.
Go to src > org.example.springdisablesecuritydemo > config > SecurityConfig and put the below code.
Java
package org.example.springdisablesecuritydemo.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@Profile("!development")
@EnableWebSecurity
public class SecurityConfig {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
}
- This
SecurityConfig class is responsible for configuring security settings in a Spring Boot application. - It specifies that security configurations defined within it should only be applied when the active profile is not "development".
- The
configure method sets up authorization rules, form-based login, and logout functionality.
Step 5: Create a new package named config and in that package, create the new Java class and it named as DevelopmentSecurityConfig .
Go to src > org.example.springdisablesecuritydemo > config > DevelopmentSecurityConfig and put the below code.
Java
package org.example.springdisablesecuritydemo.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@Profile("development")
public class DevelopmentSecurityConfig {
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().permitAll()
.and().csrf().disable();
}
}
- This
DevelopmentSecurityConfig class is specifically configured for the "development" profile in a Spring Boot application. - It allows unrestricted access to all endpoints by permitting all requests and disabling CSRF protection.
- This is useful during development phases to simplify testing and debugging without security constraints.
Step 6: Create a new package named controller, in that package, create a new Java class named DevelopmentSecurityConfig .
Go to src > org.example.springdisablesecuritydemo > controller > HomeController and put the below code.
Java
package org.example.springdisablesecuritydemo.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HomeController {
@GetMapping("/")
public String hello() {
return "Hello World";
}
}
- This
HomeController class defines a simple REST controller with a single endpoint mapped to the root URL ("/"). - When accessed, it returns the string "Hello World".
- This endpoint can be used to verify the basic functionality of the Spring application.
Step 7: Open the main class file and write the below code.
Java
package org.example.springdisablesecuritydemo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SpringDisableSecurityDemoApplication {
public static void main(String[] args) {
SpringApplication.run(SpringDisableSecurityDemoApplication.class, args);
}
}
pom.xml:
XML
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.2.4</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.example</groupId>
<artifactId>spring-disable-security-demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-disable-security-demo</name>
<description>spring-disable-security-demo</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
Step 8: After successfully completion of the spring project, run it as spring application and once it runs successfully, it starts at port 8081.
Endpoint API:
GET http:localhost:8081/
Output:
Once sign in done, then the output will be like below image:
Step 9: Set the profile to development.
spring.application.name=spring-disable-security-demo
server.port= 8081
spring.security.user.name=admin
spring.security.user.password=admin
spring.profiles.active=development
Step 10: Once change the profile the re-run as spring application once it runs successful then it starts at port 8082.
API Endpoint:
GET http://localhost:8082/
Output:
If we follow the above steps, then we can successfully demonstrate that how to Disable Security for a Profile in Spring Boot of the Spring application.
Similar Reads
Spring Security for API Rate Limiting
API rate limiting in Spring Security is an essential technique for modern web applications to control client requests to a particular endpoint over a specified time frame. This practice helps protect APIs from abuse, ensures fair resource usage, and prevents Denial of Service (DoS) attacks by contro
5 min read
Spring Security - Authentication Providers
Authentication in Spring Security refers to the process of verifying the identity of a user or a client application attempting to access a protected resource. In other words, it's the process of validating the user's credentials (such as username and password) to ensure that they are who they claim
13 min read
CSRF Protection in Spring Security
In Spring Security, CSRF stands for Cross-Site Request Forgery. It is used to protect in the Spring Security mechanism. It is designed to prevent the attackers from executing unauthorized actions on behalf of the authenticated users. Key Terminologies:CSRF AttackCSRF TokenCSRF Token RepositoryCSRF T
9 min read
Difference between Role and GrantedAuthority in Spring Security
Role-based authorization is the process of access control as it allows administrators to create user roles and limit their actions based on those roles. Granted Authority is a capacity or permission to carry out specific actions inside an application for an authenticated user. It is a fundamental pa
4 min read
Spring Boot Security Auto-Configuration
Spring Boot Security Auto Configuration can simplify the process of securing the Spring Boot applications by providing default security configurations. It can automate the many common security tasks such as setting up the authentication, and authorization and it can handle the common security vulner
4 min read
Spring Boot Properties Prefix Must Be in Canonical Form
In Spring Boot, configuring properties using the @ConfigurationProperties class requires the property prefixes to be in the canonical form. The canonical form means the prefix must be in lowercase and hyphen-separated (kebab-case), without special characters like underscores or camel case. Failure t
6 min read
Read file from Resources Folder in Spring Boot
Spring Boot is a framework for handling web applications, and it is easy to create stand-alone applications. The Spring Boot framework is an open-source Java-based framework mostly used for creating microservices. In this article, we will discuss how to read file from the resources folder in Spring
4 min read
What is Spring Boot Profiles?
Spring Boot, a popular framework for building Java applications, offers a wealth of features that simplify development. Among these, "Profiles" stand out as a powerful tool for managing configurations in different environments. This article will delve into what profiles are, why they are crucial, an
4 min read
Spring Security - Role Based Authentication
Authentication is when anyone wants to access your Rest API they need some Authorization like a Username, Password, and token kind of. So Spring Boot Security has a Spring Boot 6.2.0 version. In the lower version Some Methods are deprecated in spring Security that's why a new thing comes into the pi
4 min read
Example of RBAC in Spring Security
Role-based role control (RBAC) is a widely used method for managing resource availability in a system. When we use RBAC in Spring Security, we focus on defining roles and it can assign permissions to those roles and then associate users with specific roles. Key TerminologiesGranted Authority: Permis
4 min read