9

I'm using Spring Boot Security with OAuth2. I wan't to disable security for health endpoint.

I can totally disable security or write my own implementation of WebSecurityConfigurerAdapter and disable autoconfigured one.

But how to modify existing implementation of WebSecurityConfigurerAdapter (OAuth2SsoDefaultConfiguration)?

I tried to create my own configuration without disabling autoconfigured one, but it is impossible due to Order conflicts.

Here is the error message:

Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. 
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$$9505fc58@13f182b9,
 so it cannot be used on 
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.

Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.

So how to override specific security rules without reimplementing whole configuration?

solomkinmv
  • 1,804
  • 3
  • 19
  • 30
  • See [Spring Boot Reference](https://docs.spring.io/spring-boot/docs/2.0.0.RELEASE/reference/htmlsingle/#boot-features-security-mvc). There is no easy way. – dur Sep 02 '18 at 16:29

9 Answers9

9

You need to implement the following method in your

@SpringBootApplication class

 @SpringBootApplication
 @EnableResourceServer
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Configuration
 public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {

 public static void main(String[] args) throws IOException {
    ConfigurableApplicationContext context =  
    SpringApplication.run(BusinessLogicServiceApplication.class, args);
    }

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/health").permitAll().anyRequest().authenticated();

    }
}
Alexander Petrov
  • 951
  • 6
  • 11
8
@Configuration
@EnableOAuth2Sso
class MyConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/actuator/health")
                .permitAll()
            .anyRequest()
                .authenticated();
    }

}

Make sure you are using @EnableOAuth2Sso over a WebSecurityConfigurerAdapter class. It's important because it will include OAuth2SsoCustomConfiguration which basically copies the functionality of OAuth2SsoDefaultConfiguration#configure.

You might also want to show full health details:

management:
  endpoint:
    health:
      show-details: always
Andrew Tobilko
  • 48,120
  • 14
  • 91
  • 142
4

Following are the possible checks.

Solution 1 : Ensure that you are using

org.springframework.core.annotation.Order

instead of

org.apache.logging.log4j.core.config.Order

Since Spring didn't parse the correct annotations, it was assuming the default value 100 for both configurations.

Solution 2:

Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation.

Solution 3 : Refer this https://stackoverflow.com/a/44076087/6572971

Solution 4 :

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class DemoConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception{
        http.authorizeRequests().antMatchers("/health").permitAll();
        super.configure(http);
    }
}
Alien
  • 15,141
  • 6
  • 37
  • 57
1

I think you could have your own implementation extending the one you use (OAuth2SsoDefaultConfiguration, if I got it right) and then extend the configure method to ignore your health endpoint. It would look more or less like this

@Override
public void configure(final HttpSecurity http) throws Exception {
    http.regexMatchers("/health",)
        .permitAll()
}

By the way about this Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine. The way @Order works, lower numbers have higher priority so it would explain why the autoconfigured was overriding yours. Doc here: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/annotation/Order.html

lapostoj
  • 113
  • 1
  • 1
  • 8
0

management.security.enabled: false is no longer valid in spring boot 2. we need to take ConfigurerAdapter way. Here is my code below when OAuth2 resource server is used.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

/**
 * to disable security for acutator endpoints.
 *
 */
@Configuration
public class ActuatorSecurityConfigurer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll();
    }
}
Yuva
  • 171
  • 2
  • 1
0

management.security.enabled: false

does not work with spring boot 2.x versions

ziar-work
  • 1
0

For Kotlin

@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
    override fun configure(httpSecurity: HttpSecurity) {
        httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll()
    }
}
Janitha Madushan
  • 1,453
  • 3
  • 28
  • 40
0

A quick update as I'm using a very recent Spring Boot 2.7.11. It seems like extending WebSecurityConfigurerAdapter is now deprecated.

Rather I simply do this:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;


@EnableWebSecurity
@Configuration
public class ActuatorSecurityFilter {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/actuator").permitAll();
        return http.build();
    }
}
Patrice Gagnon
  • 1,276
  • 14
  • 14
  • This is not working I tried and getting error `Consider defining a bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' in your configuration.` – Venu Jul 12 '23 at 22:37
  • It sure does work. The same solution is listed 3 more times below. You have another issue. Perhaps you have not enabled Spring Security, such that Spring is not injecting the HttpSecurity in your config. Try to add @EnableWebSecurity to your class. – Patrice Gagnon Jul 13 '23 at 14:36
  • Yes, it worked. But I need to change the annotation to `@EnableWebfluxSecurity` and things started working. However, I am looking if there is any other way via application.properties to achieve the same without adding additional class. – Venu Jul 16 '23 at 00:55
-3

You can also use management.security.enabled: false In your application.propeeties (or. yaml). It will automatically remove any security for actuator exposed endpoints

Nik.exe
  • 391
  • 3
  • 5