Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITY1. Overview
Spring Security is a powerful, highly customizable authentication and access-control framework for Java applications. We’ll outline the purpose of Spring Security and some common scenarios where disabling it might be necessary, such as during development, testing, or when using a custom security mechanism.
This article will guide us through the steps to disable Spring Security in a Spring Boot application while ensuring that the configurations are easy to manage and revert. We’ll also provide here code samples that we can refer to in our projects, complete with unit tests to demonstrate their behavior. In this tutorial, we’ll discuss the basic concepts necessary for understanding how to disable Spring Security in a Spring Boot application.
2. Disabling Spring Security
Depending on our application’s specific requirements, we can disable Spring Security in several ways. We’ll explore four common methods:
- using a custom security configuration
- leveraging Spring profiles
- removing Spring Security Dependency
- excluding Spring Security auto-configuration
Before we discuss the different strategies for disabling Spring Security, let’s set up a simple Spring Boot application through Spring Initializr that we’ll use throughout the guide. We’ll create a minimal Maven-based Spring Boot project with a single controller that will serve as our test endpoint:
@RestController
@RequestMapping("/api")
public class PublicController {
@GetMapping("/endpoint")
public ResponseEntity<String> publicEndpoint() {
return ResponseEntity.ok("This is a public endpoint.");
}
}3. Using a Custom Security Configuration
One of the most straightforward ways to disable Spring Security is by creating a custom security configuration class. This method involves defining and configuring a SecurityFilterChain bean to allow all requests without authentication:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
.csrf(AbstractHttpConfigurer::disable);
return http.build();
}4. Leveraging Spring Profiles
Spring profiles allow us to configure different environments for our application. We can use profiles to disable security in certain environments, such as development or testing. Create a new profile-specific properties file, for example, application-dev.properties, and add the following line:
server.port= 8080
spring.profiles.active=dev
spring.application.name=spring-security-noauth-profileNow, create the new Java class named DevSecurityConfiguration. This class is specifically configured for the “dev” profile in a Spring Boot application. It allows unrestricted access to all endpoints by permitting all requests. This is useful during dev phases to simplify testing and debugging without security constraints:
@Profile("dev")
public class DevSecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
return http.build();
}
}Along with the above configuration, we’ll define another security configuration class that applies when the dev profile is not active. This configuration enables authentication and allows restricted access to all endpoints:
@Profile("!dev")
public class SecurityConfiguration {
@Bean
SecurityFilterChain httpSecurity(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.formLogin(withDefaults())
.httpBasic(withDefaults());
return http.build();
}
}When we run the application in the development environment using the dev profile, all requests will be allowed without authentication. However, when the application runs using any profile other than dev, our application requires authentication for any kind of request.
5. Removing Spring Security Dependency
The simplest way to disable Spring Security is to remove its dependency from the project. By doing this, we’ll remove all security-related configurations and defaults provided by Spring Security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>...</version>
</dependency>Removing this dependency eliminates all Spring Security features from the application.
6. Excluding Spring Security Auto-Configuration
Spring Boot automatically configures security when we include spring-boot-starter-security in our classpath. To disable it, exclude the auto-configuration by adding the following property to application.properties:
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfigurationIf we want to disable Spring Security completely, we should use spring.autoconfigure.exclude without creating a SecurityConfiguration class. Manually configuring the Spring Security class overrides the application.properties configuration, so exclusion in the application.properties has no effect when both are used together.
7. Testing Without Security
We can verify that we have disabled security by starting the application and accessing the endpoints locally. Bring the spring boot application up and running, and we’ll see the below response when we try to access the REST endpoint:
We can programmatically verify that security is disabled by writing JUnit tests using the MockMvc library.
7.1. Unit Test for Custom Security Configuration
Here is a sample unit test to verify that the security configuration allows unrestricted access:
public class CommonSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenSecurityIsDisabled_thenAllEndpointsAreAccessible() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isOk());
}
}7.2. Unit Test for Application Profiles
We write two separate tests to verify that our security behaves differently based on active profiles. Here’s a unit test for the dev profile when security is disabled:
@ActiveProfiles("dev")
public class DevProfileSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenDevProfileIsActive_thenAccessIsAllowed() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isOk());
}
}Here’s a unit test for the non–dev profile when security is enabled:
public class NonDevProfileSecurityConfigTest {
@Autowired
private MockMvc mockMvc;
@Test
public void whenNonDevProfileIsActive_thenAccessIsDenied() throws Exception {
mockMvc.perform(get("/api/endpoint"))
.andExpect(status().isUnauthorized());
}
}8. Conclusion
In this article, we discussed various methods for disabling Spring Security in a Spring Boot application, each suited for different scenarios. Whether we use a custom security configuration or leverage Spring profiles, the approach should align with our development and deployment needs. By following the steps outlined in this article, we can ensure that our application remains flexible and easy to manage, especially during the development and testing phases.
