You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:
28.1 MVC Security
The default security configuration is implemented in
SecurityAutoConfiguration
andUserDetailsServiceAutoConfiguration
.SecurityAutoConfiguration
importsSpringBootWebSecurityConfiguration
for web security andUserDetailsServiceAutoConfiguration
configures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of typeWebSecurityConfigurerAdapter
(doing so does not disable theUserDetailsService
configuration or Actuator’s security).
For example:
@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
}
To use the configuration only for a profile add @Profile
to the class. If you want to enable it by property, add ConditionalOnProperty
to the class.