Open in app

Sign in

Write

Sign in

Spring boot disable oauth2 security

Buddhi Prabhath
2 min readSep 16, 2019

--

3 ways shown as below as A, B, C

A. I was able bypass spring boot security filtering while keeping the @EnableResourceServer in the @SpringBootApplication Application class

1.permitall for anonymous in the ResourceServerConfigurerAdapter override

import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.context.annotation.Configuration;@Configuration
public class ResourceAccessConfiguration extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().anonymous();<< this will allow any resource endpoint access when the HTTP request Authorization header not available
        //http.authorizeRequests().antMatchers("/**").permitAll();<< also can
    }
}

spring boot application initializer

@SpringBootApplication
@EnableResourceServer << keep this
public class Application extends SpringBootServletInitializer {    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

2.remove the authorization header(remove OAuth 2.0 Access Token from the HTTP request)

B. security filtering could also be disabled for endpoints by removing @EnableResourceServer and set the parameter in application.yml as below. when removed @EnableResourceServer the spring security config will fall back to default which is org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

1.application.yml, security.ignored property

security:
  ignored: /**

2.spring boot application initializer

@SpringBootApplication
//@EnableResourceServer << remove this
public class Application extends SpringBootServletInitializer {    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

3.remove the authorization header same as above from the http request

C. security filtering could also be disabled for endpoints by removing @EnableResourceServer and adding a config class extends WebSecurityConfigurerAdapter

1.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
    }
}

2.//@EnableResourceServer commented same as above

3.remove the authorization header same as above from the http request

Spring Boot
Oauth2

--

--

Buddhi Prabhath
Buddhi Prabhath

Written by Buddhi Prabhath

49 Followers
9 Following

Software Developer, Singapore

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams