Spring Boot /h2-console throws 403 with Spring Security 1.5.2

Question

We recently upgraded from Spring Boot 1.4.1 to 1.5.2. One of the features of 1.5.2 is that if Spring Security is part of the package then it is protected by basic auth. I am unable to access the /h2-console even after basic auth. It throws 403 forbidden.

application.yml:

spring:   datasource:     driver-class-name: org.h2.Driver     url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE     username: sa     password: sa     initialize: false   jpa:     hibernate:       ddl-auto: validate     show-sql: true     database-platform: org.hibernate.dialect.H2Dialect   h2:     console:       enabled: true       settings:         web-allow-others: true   allowed:     resources: /h2-console/** 

I have even explicitly allowed /h2-console/**

 httpSecurity.authorizeRequests()                 .antMatchers(allowedResources)                                   .permitAll() 

I keep getting 403 when trying to access localhost:8080/h2-console. I tried many settings as well as putting:

management.security.enabled=true security.basic.enabled=true 

But I am unable to access the h2-console.

Answer 1

Since H2 has it's own authentication provider, you can skip the Spring Security for the path of h2 console entirely in the same way that you do for your static content.

In order to do that, in your Spring security config, you have to override the configuration method which takes an instance of org.springframework.security.config.annotation.web.builders.WebSecurity as a parameter instead of the one which takes an instance of org.springframework.security.config.annotation.web.builders.HttpSecurity

    @Override     public void configure(WebSecurity web) throws Exception {         web             .ignoring()             .antMatchers("/h2-console/**");     } 

If you're using h2 in a production environment, make sure you set up the proper security measures (things like, setting a non-obvious path, good password, ip white list) for your h2 console.

Answer 2

Spring security blocks /h2-console (or the path you configured in your application.yaml) path for H2 database.

To access the H2 console just add the below code to your WebSecurityConfigurerAdapter.

@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {      @Override     protected void configure(HttpSecurity http) throws Exception {         http.authorizeRequests()                 .antMatchers("/").permitAll()                 .antMatchers("/h2-console/**").permitAll();          http.csrf().disable();         http.headers().frameOptions().disable();     } } 

Don't use this configuration in a production environment. =)