How to temporarily disable Spring Security in a Spring web application

Question

How to temporarily disable Spring Security in a Spring web application

First, I'm a complete noob when it comes to Spring. I have been asked to work for a colleague who is now on vacation. He told me to leave security alone as the final approach has yet to be decided, and just develop the rest of the application.

However, protection is enabled and denies access to the main web page. I have checked several documents including

Disable Spring Security from spring-security.xml

Disable Basic Authentication when using Spring Java Security Configuration

http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html

http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html

not finding an answer that works.

I did the following:

Added index.html to <welcome file-list> in web.xml. This directs me to the login page which is already included in the package I grabbed. So, I figured I could just turn off security.

Added security = "none" attribute to Spring security.xml. Now I don't get the login page anymore. I am getting a blank page.

In disabled web.xml

<!--     <filter> -->
<!--        <filter-name>springSecurityFilterChain</filter-name> -->
<!--        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> -->
<!--    </filter> -->

<!--    <filter-mapping> -->
<!--        <filter-name>springSecurityFilterChain</filter-name> -->
<!--        <url-pattern>/*</url-pattern> -->
<!--    </filter-mapping>  -->

Still getting a blank page.

I see a lot of other advice, but it assumes a lot more knowledge of Spring than I currently do.

For example, in the 4th link above, I see:

If you define @Configuration with @EnableWebSecurity anywhere your application will disable security by default for the webapp setting in Spring Boot.

I don't know what they mean. I'm guessing it means putting these annotations on some method somewhere, but I can't believe this can go in any Java class in the application. Is there an example of this?

Can anyone point me in the right direction? Thank.

+3

spring spring-mvc spring-security

Steve cohen June 18. 15 at 17:31

source to share

3 answers

Jeevan Patil · Answer 1 · 2015-06-18T18:21:00+0000

Comment out the tags <intercept-url pattern="" access="" />

in the XML security file and make all pages accessible. This should work.

Steve cohen · Answer 2 · 2015-06-18T18:07:14+0000

This seemed to work (in spring-security.xml)

<!--        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> -->
        <intercept-url pattern="/**" access="permitAll" />

AntJavaDev · Answer 3 · 2015-06-18T17:51:00+0000

check your web.xml or your appContext.xml to find where the spring security.xml beans are loaded (it will be like <import resource=../spring security.xml>

) and comment that out, also check the beans that are loaded from there before you disable it, trigger a redirect or whatever yet

How to temporarily disable Spring Security in a Spring web application

More articles: