David A Good

How To Completely Disable HTTP Security in Spring Security

December 16, 2020

Warning: Do not disable HTTP security as described in this post unless you have a good reason to.

Spring is well-known for its convention over configuration approach where features works out of the box with sensible defaults. Part of what enables this experience is Spring’s auto-configuration whereby adding a Spring dependency to your classpath automatically enables certain features. You may have noticed this with Spring JDBC. Once you add this dependency, you must also add the baseline application properties which it requires like database URL, username and password. If you don’t add them, the app won’t even start!

Here’s how auto-configuration is described in the Spring Boot docs:

Spring Boot auto-configuration attempts to automatically configure your Spring application based on the jar dependencies that you have added. For example, if HSQLDB is on your classpath, and you have not manually configured any database connection beans, then Spring Boot auto-configures an in-memory database.

Source: https://docs.spring.io/spring-boot/docs/2.4.x/reference/htmlsingle/#using-boot-auto-configuration

But what happens when you want to disable such auto-configured features? There may be a common approach you can use, like using @SpringBootApplication’s exclude property, e.g. @SpringBootApplication(exclude = SomeConfigurtionHere.class). But this exclude property only works for configuration which is specifically auto-configuration.

In other cases, the approach required to disable a feature is completely unique to the Spring library or abstraction you’re dealing with.

With Spring Security, the default behavior is to enable numerous security features (see here and here) including username and password-based authentication for all requests.

In my case, the only reason I had added the Spring Security dependency was for service to service communication using OAuth2’s Client Credentials Grant Type (see this post for more info). Securing the app’s HTTP endpoints was not the goal since authentication was already handled upstream in the architecture and enforced by Kubernetes Ingress.

Once I added the Spring Security dependency, I ran the app with logging.level.org.springframework.security=DEBUG, and I saw that HTTP requests to the app’s Spring Web MVC endpoints were now being chained through 10 security Filters which were not needed as I mentioned above.

After trying numerous supposed solutions to disable all these default HTTP security features, I came up with the solution below the old-fashioned way: by digging through the WebSecurityConfigurerAdapter source code. 🙂

Warning: Again, don’t do this unless you have a good reason to. This will completely disable all HTTP security for your app.

@Configuration
public class HttpSecurityDisabler extends WebSecurityConfigurerAdapter {

    public HttpSecurityDisabler() {
        super(true); // Disable defaults
    }
    
    @Override
    protected void configure(HttpSecurity http) {
        // Do nothing, this is just overriding the default behavior in WebSecurityConfigurerAdapter
        
    }
}

Software engineer crafting full-stack, cloud-native solutions for enterprise. GitHub | LinkedIn | Twitter