Is there a way I can disable the global method security using the boolean securityEnabled from my Any other approach?

public class SecurityConfig 
  extends WebSecurityConfigurerAdapter {    

  private boolean securityEnabled;




The easiest way to do this is:

  • Extract method security to its own class
  • Remove the securedEnabled attribute entirely
  • Override the customMethodSecurityMetadataSource method and return the result based on the configured value.

For example:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    private boolean securityEnabled;

    protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
        return securityEnabled ? new SecuredAnnotationSecurityMetadataSource() : null;


I've managed this by defining a Spring "securityDisabled" profile and conditionally applying security config based off that. I'm using Spring Boot 2.0.2. I believe this should work if not using Spring Boot and in previous versions of Spring Boot, but I have not tested. It's possible some tweaks may be required to property and class names because I know in Spring 2.0 some of that changed.

// In

Then my security config looks like this:

public class SecurityConfig {

  // When the securityDisabled profile is applied the following configuration gets used
  public class SecurityDisabledConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        // Configure http as needed from Spring Security defaults when
        // NO security is desired

  // When the securityDisabled profile is NOT applied the following configuration gets used
  @EnableGlobalMethodSecurity(prePostEnabled = true)
  public class SecurityEnabledConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        // Configure http as needed from Spring Security defaults when
        // security is desired

In Springboot2, a simple solution consists in replacing the security method interceptor by a dummy one when the security is off :

@EnableGlobalMethodSecurity(prePostEnabled = true)
static class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    private boolean disableSecurity;  

    public MethodInterceptor methodSecurityInterceptor(MethodSecurityMetadataSource methodSecurityMetadataSource) {
        return disableSecurity ? new SimpleTraceInterceptor()
                : super.methodSecurityInterceptor(methodSecurityMetadataSource);


Thanks to Rob Winch for the solution. For folks who would like to do something similar but with prePostEnabled i have tried and tested the below similar approach and works just fine.

@EnableGlobalMethodSecurity(securedEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

  private boolean prePostEnabled;

private DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler;

  protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
     return prePostEnabled ? new PrePostAnnotationSecurityMetadataSource(new ExpressionBasedAnnotationAttributeFactory(defaultMethodSecurityExpressionHandler)) : null ;

EDIT: In addition to above i realized it is required to add following beans to the class. The below will help using the expression based pre invocation checks along with avoiding "ROLE_" prefix that is defaulted in all the handlers

protected AccessDecisionManager accessDecisionManager() {
    AffirmativeBased accessDecisionManager = (AffirmativeBased) super.accessDecisionManager();
    ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
    //This is required in order to allow expression based Voter to allow access
            .add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));

    //Remove the ROLE_ prefix from RoleVoter for @Secured and hasRole checks on methods
            .forEach(it -> it.setRolePrefix(""));

    return accessDecisionManager;
 * Allow skip ROLE_ when check permission using @PreAuthorize, like:
 * @PreAuthorize("hasAnyRole('USER', 'SYSTEM_ADMIN')")
 * Added all the Beans
public DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler() {
    DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler = new DefaultMethodSecurityExpressionHandler();
    return defaultMethodSecurityExpressionHandler;
许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top