From 69fcaef501ab51b06794d22ab041280f376b4d56 Mon Sep 17 00:00:00 2001
From: Henning Poettker <Henning.Poettker@c24.de>
Date: Tue, 22 Feb 2022 00:56:40 +0100
Subject: [PATCH 1/4] Document WebSecurityCustomizer for H2 Console

---
 .../src/docs/asciidoc/features/sql.adoc       | 15 +++++++++
 .../MySecurityConfiguration.java              | 32 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
index 301a07dd6562..9d5ec4cf82fe 100644
--- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
@@ -322,6 +322,21 @@ You can customize the console's path by using the configprop:spring.h2.console.p
 
 
 
+[[features.sql.h2-web-console.spring-security]]
+==== Configuring Spring Security for H2 Console
+H2 Console uses frames and, as it's intended for development only, does not implement CSRF protection measures. If your application uses Spring Security, you need to configure it accordingly.
+
+For example, Spring Security will ignore the console if the following `WebSecurityCustomizer` is exposed:
+
+[source,java,indent=0,subs="verbatim"]
+----
+include::{docs-java}/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java[]
+----
+
+TIP: `PathRequest.toH2Console()` returns the correct request matcher also when the console's path has been customized.
+
+
+
 [[features.sql.jooq]]
 === Using jOOQ
 jOOQ Object Oriented Querying (https://www.jooq.org/[jOOQ]) is a popular product from https://www.datageekery.com/[Data Geekery] which generates Java code from your database and lets you build type-safe SQL queries through its fluent API.
diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java
new file mode 100644
index 000000000000..bdd73e476d87
--- /dev/null
+++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.docs.features.sql.h2webconsole.springsecurity;
+
+import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+
+@Configuration(proxyBeanMethods = false)
+public class MySecurityConfiguration {
+
+	@Bean
+	public WebSecurityCustomizer webSecurityCustomizer() {
+		return (web) -> web.ignoring().requestMatchers(PathRequest.toH2Console());
+	}
+
+}

From 1573e32e0011dcf8dae0e5076a0a1e4029985c23 Mon Sep 17 00:00:00 2001
From: Henning Poettker <Henning.Poettker@c24.de>
Date: Tue, 1 Mar 2022 00:06:50 +0100
Subject: [PATCH 2/4] Adjustments according to feedback

---
 .../src/docs/asciidoc/features/sql.adoc       | 13 +++++++++---
 ...a => DevProfileSecurityConfiguration.java} | 20 +++++++++++++++----
 2 files changed, 26 insertions(+), 7 deletions(-)
 rename spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/{MySecurityConfiguration.java => DevProfileSecurityConfiguration.java} (57%)

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
index 9d5ec4cf82fe..3db0cecfc606 100644
--- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
@@ -324,15 +324,22 @@ You can customize the console's path by using the configprop:spring.h2.console.p
 
 [[features.sql.h2-web-console.spring-security]]
 ==== Configuring Spring Security for H2 Console
-H2 Console uses frames and, as it's intended for development only, does not implement CSRF protection measures. If your application uses Spring Security, you need to configure it accordingly.
+H2 Console uses frames and, as it's intended for development only, does not implement CSRF protection measures. If your application uses Spring Security, you need to configure it to
 
-For example, Spring Security will ignore the console if the following `WebSecurityCustomizer` is exposed:
+* disable CSRF protection for requests against the console,
+* set the header `X-Frame-Options` to `SAMEORIGIN` on responses from the console.
+
+More information on {spring-security-docs}#csrf[CSRF] and the header {spring-security-docs}#headers-frame-options[X-Frame-Options] can be found in the Spring Security Reference Guide.
+
+In simple setups, a `SecurityFilterChain` like the following can be used:
 
 [source,java,indent=0,subs="verbatim"]
 ----
-include::{docs-java}/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java[]
+include::{docs-java}/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java[]
 ----
 
+WARNING: The H2 console is only intended for use during development. In production, disabling CSRF protection or allowing frames for a website may create severe security risks.
+
 TIP: `PathRequest.toH2Console()` returns the correct request matcher also when the console's path has been customized.
 
 
diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
similarity index 57%
rename from spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java
rename to spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
index bdd73e476d87..88eb90d875c1 100644
--- a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java
+++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
@@ -19,14 +19,26 @@
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.context.annotation.Profile;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
 
+@Profile("dev")
 @Configuration(proxyBeanMethods = false)
-public class MySecurityConfiguration {
+public class DevProfileSecurityConfiguration {
 
 	@Bean
-	public WebSecurityCustomizer webSecurityCustomizer() {
-		return (web) -> web.ignoring().requestMatchers(PathRequest.toH2Console());
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		return http.requestMatcher(PathRequest.toH2Console())
+				// ... configuration for authorization
+				.csrf().disable()
+				.headers().frameOptions().sameOrigin().and()
+				.build();
+		// @formatter:on
 	}
 
 }

From 2b9b1483ee8227f19dda12e90e00825d23e9211b Mon Sep 17 00:00:00 2001
From: Henning Poettker <Henning.Poettker@c24.de>
Date: Tue, 1 Mar 2022 00:33:56 +0100
Subject: [PATCH 3/4] Remove code snippet

---
 .../src/docs/asciidoc/features/sql.adoc       | 11 +----
 .../DevProfileSecurityConfiguration.java      | 44 -------------------
 2 files changed, 2 insertions(+), 53 deletions(-)
 delete mode 100644 spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
index 3db0cecfc606..e4c9d650e46e 100644
--- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
@@ -331,16 +331,9 @@ H2 Console uses frames and, as it's intended for development only, does not impl
 
 More information on {spring-security-docs}#csrf[CSRF] and the header {spring-security-docs}#headers-frame-options[X-Frame-Options] can be found in the Spring Security Reference Guide.
 
-In simple setups, a `SecurityFilterChain` like the following can be used:
+WARNING: The H2 console is only intended for use during development. For production websites, disabling CSRF protection or allowing frames may create severe security risks.
 
-[source,java,indent=0,subs="verbatim"]
-----
-include::{docs-java}/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java[]
-----
-
-WARNING: The H2 console is only intended for use during development. In production, disabling CSRF protection or allowing frames for a website may create severe security risks.
-
-TIP: `PathRequest.toH2Console()` returns the correct request matcher also when the console's path has been customized.
+TIP: `PathRequest.toH2Console()` provides a `RequestMatcher` for the console that is useful when configuring Spring Security or implementing a custom servlet filter.
 
 
 
diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
deleted file mode 100644
index 88eb90d875c1..000000000000
--- a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright 2012-2022 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.docs.features.sql.h2webconsole.springsecurity;
-
-import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
-import org.springframework.core.Ordered;
-import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
-
-@Profile("dev")
-@Configuration(proxyBeanMethods = false)
-public class DevProfileSecurityConfiguration {
-
-	@Bean
-	@Order(Ordered.HIGHEST_PRECEDENCE)
-	SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
-		// @formatter:off
-		return http.requestMatcher(PathRequest.toH2Console())
-				// ... configuration for authorization
-				.csrf().disable()
-				.headers().frameOptions().sameOrigin().and()
-				.build();
-		// @formatter:on
-	}
-
-}

From 39ecdb9597302e1bf3737b3ad1fba672b1bca785 Mon Sep 17 00:00:00 2001
From: Henning Poettker <Henning.Poettker@c24.de>
Date: Thu, 3 Mar 2022 19:44:57 +0100
Subject: [PATCH 4/4] Revert "Remove code snippet"

This reverts commit 2b9b1483ee8227f19dda12e90e00825d23e9211b.
---
 .../src/docs/asciidoc/features/sql.adoc       | 11 ++++-
 .../DevProfileSecurityConfiguration.java      | 44 +++++++++++++++++++
 2 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
index e4c9d650e46e..3db0cecfc606 100644
--- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
@@ -331,9 +331,16 @@ H2 Console uses frames and, as it's intended for development only, does not impl
 
 More information on {spring-security-docs}#csrf[CSRF] and the header {spring-security-docs}#headers-frame-options[X-Frame-Options] can be found in the Spring Security Reference Guide.
 
-WARNING: The H2 console is only intended for use during development. For production websites, disabling CSRF protection or allowing frames may create severe security risks.
+In simple setups, a `SecurityFilterChain` like the following can be used:
 
-TIP: `PathRequest.toH2Console()` provides a `RequestMatcher` for the console that is useful when configuring Spring Security or implementing a custom servlet filter.
+[source,java,indent=0,subs="verbatim"]
+----
+include::{docs-java}/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java[]
+----
+
+WARNING: The H2 console is only intended for use during development. In production, disabling CSRF protection or allowing frames for a website may create severe security risks.
+
+TIP: `PathRequest.toH2Console()` returns the correct request matcher also when the console's path has been customized.
 
 
 
diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
new file mode 100644
index 000000000000..88eb90d875c1
--- /dev/null
+++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/features/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.docs.features.sql.h2webconsole.springsecurity;
+
+import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Profile("dev")
+@Configuration(proxyBeanMethods = false)
+public class DevProfileSecurityConfiguration {
+
+	@Bean
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		return http.requestMatcher(PathRequest.toH2Console())
+				// ... configuration for authorization
+				.csrf().disable()
+				.headers().frameOptions().sameOrigin().and()
+				.build();
+		// @formatter:on
+	}
+
+}