11

I'm using Spring Boot Security with OAuth2. I wan't to disable security for health endpoint.

I can totally disable security or write my own implementation of WebSecurityConfigurerAdapter and disable autoconfigured one.

But how to modify existing implementation of WebSecurityConfigurerAdapter (OAuth2SsoDefaultConfiguration)?

I tried to create my own configuration without disabling autoconfigured one, but it is impossible due to Order conflicts.

Here is the error message:

Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. 
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$9505ドルfc58@13f182b9,
 so it cannot be used on 
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.

Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.

So how to override specific security rules without reimplementing whole configuration?

asked Sep 2, 2018 at 15:59
1
  • See Spring Boot Reference. There is no easy way. Commented Sep 2, 2018 at 16:29

9 Answers 9

9

You need to implement the following method in your

@SpringBootApplication class

 @SpringBootApplication
 @EnableResourceServer
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Configuration
 public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {
 public static void main(String[] args) throws IOException {
 ConfigurableApplicationContext context = 
 SpringApplication.run(BusinessLogicServiceApplication.class, args);
 }
 @Override
 public void configure(HttpSecurity http) throws Exception {
 http.authorizeRequests()
 .antMatchers("/health").permitAll().anyRequest().authenticated();
 }
}
answered Sep 2, 2018 at 17:42
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, I've tried ResourceServerConfigurerAdapter but messed up with request builder
9 
@Configuration
@EnableOAuth2Sso
class MyConfiguration extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 http.authorizeRequests()
 .antMatchers("/actuator/health")
 .permitAll()
 .anyRequest()
 .authenticated();
 }
}

Make sure you are using @EnableOAuth2Sso over a WebSecurityConfigurerAdapter class. It's important because it will include OAuth2SsoCustomConfiguration which basically copies the functionality of OAuth2SsoDefaultConfiguration#configure.

You might also want to show full health details:

management:
 endpoint:
 health:
 show-details: always
answered Sep 2, 2018 at 20:26

Comments

4

Following are the possible checks.

Solution 1 : Ensure that you are using

org.springframework.core.annotation.Order

instead of

org.apache.logging.log4j.core.config.Order

Since Spring didn't parse the correct annotations, it was assuming the default value 100 for both configurations.

Solution 2:

Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation.

Solution 3 : Refer this https://stackoverflow.com/a/44076087/6572971

Solution 4 :

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class DemoConfigurer extends WebSecurityConfigurerAdapter {
 @Override
 public void configure(HttpSecurity http) throws Exception{
 http.authorizeRequests().antMatchers("/health").permitAll();
 super.configure(http);
 }
}
answered Sep 2, 2018 at 16:44

Comments

2

A quick update as I'm using a very recent Spring Boot 2.7.11. It seems like extending WebSecurityConfigurerAdapter is now deprecated.

Rather I simply do this:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class ActuatorSecurityFilter {
 @Bean
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 http.authorizeRequests().antMatchers("/actuator").permitAll();
 return http.build();
 }
}
answered May 1, 2023 at 20:09

4 Comments

This is not working I tried and getting error Consider defining a bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' in your configuration.
It sure does work. The same solution is listed 3 more times below. You have another issue. Perhaps you have not enabled Spring Security, such that Spring is not injecting the HttpSecurity in your config. Try to add @EnableWebSecurity to your class.
Yes, it worked. But I need to change the annotation to @EnableWebfluxSecurity and things started working. However, I am looking if there is any other way via application.properties to achieve the same without adding additional class.
The annotation EnableWebSecurity not needed. This dependency is needed. <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.0.2.RELEASE</version> </dependency>
1

I think you could have your own implementation extending the one you use (OAuth2SsoDefaultConfiguration, if I got it right) and then extend the configure method to ignore your health endpoint. It would look more or less like this

@Override
public void configure(final HttpSecurity http) throws Exception {
 http.regexMatchers("/health",)
 .permitAll()
}

By the way about this Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine. The way @Order works, lower numbers have higher priority so it would explain why the autoconfigured was overriding yours. Doc here: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/annotation/Order.html

answered Sep 2, 2018 at 16:44

Comments

0

management.security.enabled: false is no longer valid in spring boot 2. we need to take ConfigurerAdapter way. Here is my code below when OAuth2 resource server is used.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
/**
 * to disable security for acutator endpoints.
 *
 */
@Configuration
public class ActuatorSecurityConfigurer extends ResourceServerConfigurerAdapter {
 @Override
 public void configure(HttpSecurity httpSecurity) throws Exception {
 httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll();
 }
}
answered Aug 21, 2020 at 6:42

Comments

0

management.security.enabled: false

does not work with spring boot 2.x versions

answered Feb 11, 2022 at 23:22

Comments

0

For Kotlin

@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
 override fun configure(httpSecurity: HttpSecurity) {
 httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll()
 }
}
answered Feb 27, 2023 at 9:47

Comments

-3

You can also use management.security.enabled: false In your application.propeeties (or. yaml). It will automatically remove any security for actuator exposed endpoints

answered Apr 26, 2020 at 20:21

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.