Spring Boot /h2-console throws 403 with Spring Security 1.5.2

I want to provide configuration similar to what is proposed by @argoth, but a bit more production ready :)

@Profile("h2") // to make sure it is active only if h2 profile is active
@Configuration
@ConditionalOnProperty( //to make sure it is active if console is enabled
    value="spring.h2.console.enabled", 
    havingValue = "true", 
    matchIfMissing = false)
public class H2SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // this may not be required, depends on your app configuration
        http.authorizeRequests()
                // we need config just for console, nothing else             
                .antMatchers("/h2_console/**").permitAll();
        // this will ignore only h2-console csrf, spring security 4+
        http.csrf().ignoringAntMatchers("/h2-console/**");
        //this will allow frames with same origin which is much more safe
        http.headers().frameOptions().sameOrigin();
    }
}

In fact there was similar configuration done in boot 1.3 which was called H2ConsoleSecurityConfiguration, but now it's gone: Old class

github discussion

Upd. very important note here! When you have multiple WebSecurityConfigurerAdapter they may conflict with each other, so if you have another WebSecurityConfigurerAdapter in your code, you will need to somehow merge them. To give you more details on why there will be a conflict, it will happen due to each adapter setting up it's own filter chain, and every request will have to pass both filter chains. If one of the chains forbids frameOptions and other doesn't the request won't pass the first chain.. That said, please, be careful with multiple configurers..


Spring security blocks /h2-console (or the path you configured in your application.yaml) path for H2 database.

To access the H2 console just add the below code to your WebSecurityConfigurerAdapter.

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/h2-console/**").permitAll();

        http.csrf().disable();
        http.headers().frameOptions().disable();
    }
}

Don't use this configuration in a production environment. =)


Since H2 has it's own authentication provider, you can skip the Spring Security for the path of h2 console entirely in the same way that you do for your static content.

In order to do that, in your Spring security config, you have to override the configuration method which takes an instance of org.springframework.security.config.annotation.web.builders.WebSecurity as a parameter instead of the one which takes an instance of org.springframework.security.config.annotation.web.builders.HttpSecurity

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("/h2-console/**");
    }

If you're using h2 in a production environment, make sure you set up the proper security measures (things like, setting a non-obvious path, good password, ip white list) for your h2 console.

Tags:

Spring

Spring Security

Spring Boot

Recent Posts