Redundant default security when spring-security-core in the classpath [SWF-1753] #928
Assignees
Labels
Comments
|
IlyaOkonechnikov commented spring-boot version: 2.6.6 spring-security-core version: 5.6.2 |
|
Rossen Stoyanchev commented This is not related to Spring Web Flow. The Spring Security project is located here https://github.com/spring-projects/spring-security. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
IlyaOkonechnikov opened SWF-1753 and commented
We decided to implement separate security lib in our project. It will be shared among loads of our services. We created an
@EnableApiKeyAuthannotation that imports our custom security config which implies the protection of all requests via a specific header. However, if we are going to use our library, but don't want to put this annotation in the application class, the default authentication will be enabled because of the presence of the spring-security-core in our lib's classpath. The obvious way to fix it is to exclude SecurityAutoConfiguration, but it's inconvenient since we are obliged to do that in every service where we don't want to use the aforementioned annotation. I implemented the so-called DefaultSecurityConfiguration in our security lib that is enabled only if there is no WebSecurityConfigurerAdapter in the application context. I suggest that this behavior is quite irrational. Could you fix it in the nearest time, please?Affects: 2.5.1
Attachments:
The text was updated successfully, but these errors were encountered: