Menu
We recently upgraded from Spring Boot 1.4.1 to 1.5.2. One of the features of 1.5.2 is that if Spring Security is part of the package then it is protected by basic auth. I am unable to access the /h2-console even after basic auth. It throws 403 forbidden.
application.yml:
spring: datasource: driver-class-name: org.h2.Driver url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE username: sa password: sa initialize: false jpa: hibernate: ddl-auto: validate show-sql: true database-platform: org.hibernate.dialect.H2Dialect h2: console: enabled: true settings: web-allow-others: true allowed: resources: /h2-console/** I have even explicitly allowed /h2-console/**
httpSecurity.authorizeRequests() .antMatchers(allowedResources) .permitAll() I keep getting 403 when trying to access localhost:8080/h2-console. I tried many settings as well as putting:
management.security.enabled=true security.basic.enabled=true But I am unable to access the h2-console.
611
Accessing the H2 Console By default, the H2 console is not enabled in Spring. Then, after starting the application, we can navigate to http://localhost:8080/h2-console, which will present us with a login page. The web console has an auto-complete feature that suggests SQL keywords.
Using Java, we can customize the 403 error handling process by using the accessDeniedPage() or accessDeniedHandler() methods while configuring the HttpSecurity element.
H2 is an embedded, open-source, and in-memory database. It is a relational database management system written in Java. It is a client/server application. It stores data in memory, not persist the data on disk.
Since H2 has it's own authentication provider, you can skip the Spring Security for the path of h2 console entirely in the same way that you do for your static content.
In order to do that, in your Spring security config, you have to override the configuration method which takes an instance of org.springframework.security.config.annotation.web.builders.WebSecurity as a parameter instead of the one which takes an instance of org.springframework.security.config.annotation.web.builders.HttpSecurity
@Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/h2-console/**"); } If you're using h2 in a production environment, make sure you set up the proper security measures (things like, setting a non-obvious path, good password, ip white list) for your h2 console.
79
Spring security blocks /h2-console (or the path you configured in your application.yaml) path for H2 database.
To access the H2 console just add the below code to your WebSecurityConfigurerAdapter.
@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/h2-console/**").permitAll(); http.csrf().disable(); http.headers().frameOptions().disable(); } } Don't use this configuration in a production environment. =)
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
