SpringBoot (Webflux) 2.7.3 disable WebSecurity-CodePudding

How to disable the Springboot Websecurity in Springboot 2.7.3 when Webflux is in use.

CodePudding user response：

Remove dependency spring-boot-starter-security in your pom.xml or build.gradle .

CodePudding user response：

This does not disable the webflux security but acts as a very bad workaround for now.

@EnableWebFluxSecurity
class WebfluxSecurityConfig {

    @Bean
    fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
        http.authorizeExchange()
            .pathMatchers("/**").permitAll()
        return http.build()
    }
}

CodePudding user response：

Excluding security dependencies from your project doesn't seem like the best idea, since you probably will need than at some point in time.

The best way will be to introduce the feature flag (simple configuration property) for enabling/disabling the security configurations in your project.

Please check my example security configuration below:

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;

@Slf4j
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Value("${api.security.enabled:false}")
    private Boolean enabled;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (this.enabled) {
            // your configuration for enabled security
        } else {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl)http.authorizeRequests().anyRequest()).permitAll();
            log.warn("Security is disabled");
        }
        
    }
}

We such configuration you will need to have such property in your application.yml or application.property file:

api:
  security:
    enabled: false

By default, security will be disabled. If you will need to enable it at some point in time or on some specific environment or profile, all you need to do is simply assign the true value to this property in your configs.