Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable

Spring Boot 2.0 changed its auto configuration (including some properties) and has now a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter. The default configuration looks like

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .and()
        .httpBasic();
}

A single user with a generated password is configured by default. To customize this user use the properties under spring.security.user.

spring.security.user.name=user # Default user name.
spring.security.user.password= # Password for the default user name.
spring.security.user.roles= # Granted roles for the default user name.

The following properties have been removed as of Spring Boot 2:

security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions

Replacements (if existing) can be found here: Appendix A. Common application properties

To be clear: If you create a custom WebSecurityConfigurerAdapter the default security configuration will be replaced with your custom configuration:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // For example: Use only Http Basic and not form login.
        http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }
}

For more information visit the Spring 2.0 Migration Guide.

This is because when you write security.basic.enabled = false you basically tell the application that I don't care about security and allow all the request what so ever. After spring boot 2.0 , you cant just write that 1 configuration to make the app insecure. You need to write some code to do that . Or you can just copy the following.

package com.LockheedMartin.F22Simulator;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }
}

By the way you should remove security.basic.enabled = false from your application.properties , as spring 2.*.* doesn't understand that property anymore and If you have proper Intellij setup , You should see a warning saying 'unsupported property'.

If you are using Spring reactive Security we need to do something like this,

@Bean
  public SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange().anyExchange().permitAll();
    return http.build();
  }

There is another stackoverflow post on this as well, Spring boot 2.0 disable default security