I'm securing my HTTP controller endpoint methods using @RolesAllowed annotations, authenticated by Keycloak. Security is activated by @EnableWebSecurityand @EnableGlobalMethodSecurity(jsr250Enabled = true) config annotations on a KeycloakWebSecurityConfigurerAdapter.
Is there a way to disable method security by profile? All the guides only show how to do it for WebSecurity or HttpSecurity ANT matchers.
To disable Spring Security by default and enable it by activating the enable-security profile, disable the autoconfig beans in your application.yml:
spring:
autoconfigure:
exclude:
- org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
- org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
Then, add @Profile("enable-security") to your security configuration bean to disable it unless that profile is active.
Security is now disabled, but the JSR250 annotations can stay in place.