Currently, we are making daily to make a web application like SNS as a group.
This time the Java framework, "Spring bootI started the production using.

In itAuthenticate users using Spring SecurityI thought, but by all meansWebSecurity config is not reflected.. How will it be reflected?

It's completely different from the production project to see how far this problem has spread. However, Maven dependencies are the same.

If i know the cause of this, thank you.

The problem i am having

Spring Security usually protects all URLs with BASIC authentication when included in the dependency, and even if the URL ends with "/", it cannot be reached without logging in through BASIC authentication.

Instead,WebSecurityConfigurerAdapterClass inherited fromIt is a recognition that you can freely change the settings if you prepare.

But in my environment, this class doesn't seem to be reflected.
Overridden in this classconfigure configureI mentioned in the method that "/" and "/ login" can be viewed by anyone, but I was asked to log in even if I moved to "/".

Corresponding source code

I don't know what the problem is, so I will paste all the source code.


package com.test.security;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
@SpringBootApplication (exclude = SecurityAutoConfiguration.class)
public class Application {
    public static void main (String [] args) throws Exception {
        SpringApplication.run (Controllers.class, args);


package com.test.security;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
public class Controllers {
    @RequestMapping ("/")
    public String index () {
        return "index";
    @RequestMapping ("/ hello")
    public String hello () {
        return "hello";


package com.test.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@[email protected]
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure (HttpSecurity http) throws Exception {
        http.authorizeRequests ()
                .antMatchers ("/", "/ login")
                .permitAll ();


<? xml version = "1.0" encoding = "UTF-8"?><project xmlns = "http://maven.apache.org/POM/4.0.0"
         xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
         xsi: schemaLocation = "http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>org.example</groupId>   test_spring_boot</artifactId><version>1.0-SNAPSHOT</version><parent>    <groupId>org.springframework.boot</groupId>       spring-boot-starter-parent</artifactId>    <version>2.4.0</version></parent><dependencies>    <dependency>        <groupId>org.springframework.boot</groupId>           spring-boot-starter-security</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.boot</groupId>           spring-boot-starter-web</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.boot</groupId>           spring-boot-starter-thymeleaf</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.boot</groupId>           spring-boot-starter-jdbc</artifactId>    </dependency>    <dependency>        <groupId>org.thymeleaf.extras</groupId>           thymeleaf-extras-springsecurity5</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.boot</groupId>           spring-boot-devtools</artifactId>        <scope>runtime</scope><optional>true</optional>    </dependency>    <dependency>        <groupId>com.h2database</groupId>           h2</artifactId>        <scope>runtime</scope>    </dependency>    <dependency>        <groupId>org.projectlombok</groupId>           lombok</artifactId>        <version>1.18.16</version>        <scope>provided</scope>    </dependency></dependencies><build>    <plugins>        <plugin>            <groupId>org.springframework.boot</groupId>               spring-boot-maven-plugin</artifactId>        </plugin>    </plugins></build></project>

(All together)

<! DOCTYPE HTML><html xmlns: th = "http://www.thymeleaf.org"><head><title>Swapping Positive</title><meta http-equiv = "Content-Type" content = "text/html;charset = UTF-8" /></head><body></body></html>

In addition, application.properties is not filled in this time.

What I tried

I looked at the article that I searched for "Spring Security BASIC authentication invalidation" and tried various things that seemed to be compatible with Spring boot 2.x, but it didn't work.

csrf disabled orantMatchersTomvcMatchersIn application.propertiesspring.autoconfigure.excludeI tried to set, but it didn't work.

Supplementary information (FW/tool version, etc.)
  • InteliJ IDEA 2019.3 # IC-193.5233.102
  • jdk-11.0.4 (IntelliJ standard) or jdk-13.0.1 (neither was good)

That is all. Please let us know if you have any missing information.

  • Answer # 1

    Was self resolved.

    The cause is inside Application.javamainRunning inside the method,SpringApplication.runThe class specified in the first argument of is itselfApplication.classIt was solved by making it.

    So it looks like this:

    public class Application {
        public static void main (String [] args) throws Exception {
            SpringApplication.run (Application.class, args);

    I had no choice but to use Spring Tools Suite to find out which one was the cause, but when I left the first generated execution class as it was, it worked, so if I thought about it, I changed the argument to my own class. I was able to execute it safely.

    Thank you to everyone who has seen this question.