Skip to content

Document how to access the H2 Console in a secured web application #29932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Document how to access the H2 Console in a secured web application #29932

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
69fcaef
Document WebSecurityCustomizer for H2 Console
hpoettker Feb 21, 2022
1573e32
Adjustments according to feedback
hpoettker Feb 28, 2022
2b9b148
Remove code snippet
hpoettker Feb 28, 2022
39ecdb9
Revert "Remove code snippet"
hpoettker Mar 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/sql.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,21 @@ You can customize the console's path by using the configprop:spring.h2.console.p



[[features.sql.h2-web-console.spring-security]]
==== Configuring Spring Security for H2 Console
H2 Console uses frames and, as it's intended for development only, does not implement CSRF protection measures. If your application uses Spring Security, you need to configure it accordingly.

For example, Spring Security will ignore the console if the following `WebSecurityCustomizer` is exposed:
Copy link
Member

@snicoll snicoll Feb 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to be more explicit than "ignoring" and mention anybody could access it.

Copy link
Member

@wilkinsona wilkinsona Feb 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. In the context of CSRF, it would be better to just disable Security's protection rather than ignoring entirely. This is what the old (1.x) auto-configuration for the console used to do:

spring-boot/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/h2/H2ConsoleAutoConfiguration.java

Lines 97 to 113 in 10a5cef

@Override
public void configure(HttpSecurity http) throws Exception {
String path = this.console.getPath();
String antPattern = (path.endsWith("/") ? path + "**" : path + "/**");
HttpSecurity h2Console = http.antMatcher(antPattern);
h2Console.csrf().disable();
h2Console.httpBasic();
h2Console.headers().frameOptions().sameOrigin();
String[] roles = this.security.getUser().getRole().toArray(new String[0]);
SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
http.authorizeRequests().anyRequest().hasAnyRole(roles);
}
else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
http.authorizeRequests().anyRequest().authenticated();
}
}


[source,java,indent=0,subs="verbatim"]
----
include::{docs-java}/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java[]
----

TIP: `PathRequest.toH2Console()` returns the correct request matcher also when the console's path has been customized.



[[features.sql.jooq]]
=== Using jOOQ
jOOQ Object Oriented Querying (https://www.jooq.org/[jOOQ]) is a popular product from https://www.datageekery.com/[Data Geekery] which generates Java code from your database and lets you build type-safe SQL queries through its fluent API.
Expand Down
32 changes: 32 additions & 0 deletions ...framework/boot/docs/features/sql/h2webconsole/springsecurity/MySecurityConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.springframework.boot.docs.features.sql.h2webconsole.springsecurity;

import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;

@Configuration(proxyBeanMethods = false)
public class MySecurityConfiguration {

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().requestMatchers(PathRequest.toH2Console());
}

}