[Fixed] Spring Security version 6 issues with SecurityFilterChain – Spring

The Problem:

Migrating to Spring Security version 6 introduces the use of SecurityFilterChain instead of WebSecurityConfigurerAdapter. Documentation and online resources provide conflicting information on how to configure authorization rules using request matchers like antMatchers, mvcMatchers, and requestMatchers. As a result, access to the h2-console becomes inaccessible when using AntPathRequestMatcher in the SecurityFilterChain configuration.

The Solutions:

Solution 1: Disable CSRF and set X-Frame-Options

To access the H2 console in a secured Spring Security application, you need to disable CSRF protection and set the X-Frame-Options header to SAMEORIGIN on responses from the console.

Here’s how you can achieve this in your SecurityFilterChain configuration:

<!– language: java –>

@Profile("dev")
@Configuration(proxyBeanMethods = false)
public class DevProfileSecurityConfiguration {

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
        http
            .securityMatcher(PathRequest.toH2Console())
            .authorizeHttpRequests(yourCustomAuthorization())
            .csrf(csrf -> csrf.disable())
            .headers(headers -> headers.frameOptions().sameOrigin());
        return http.build();
    }
}

This configuration creates a separate SecurityFilterChain for requests to the H2 console (/h2-console/**) and disables CSRF protection and sets the X-Frame-Options header appropriately.

Solution 2: Fixing `h2-console` Access

To resolve the issue where the `h2-console` is inaccessible, you need to include the following lines within the `SecurityFilterChain` bean:

        http
            .authorizeHttpRequests()
                .requestMatchers(new AntPathRequestMatcher("/"), new AntPathRequestMatcher("/console/**"), new AntPathRequestMatcher("/h2-console/**")).permitAll();

These lines allow access to the specified paths (root, console, and h2-console) without authentication.

Solution 3: Use the new requestMatchers with lambda expression

In the previous versions of Spring Security, we used antMatchers and mvcMatchers for URL matching. However, in Spring Security 6, these methods are deprecated. To match URLs in Spring Security 6, we should use the requestMatchers method with a lambda expression.

In your example, you can use the following code to match the URL pattern /h2-console/**:

import static org.springframework.security.config.Customizer.withDefaults;

...

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests()
            .requestMatchers(requestMatchers -> requestMatchers
                .antMatchers("/h2-console/**"))
            .permitAll()
            .and()
        ...
        .httpBasic();
    return http.build();
}

The requestMatchers method takes a lambda expression as an argument. Inside the lambda expression, you can specify the URL patterns you want to match. In this case, the antMatchers method is used to match the URL pattern /h2-console/**. The permitAll method is used to allow access to the matched URL patterns without authentication.

Video Explanation:

The following video, titled "”[Fixed", provides additional insights and in-depth exploration related to the topics discussed in this post.

This video provides further insights and detailed explanations related to the content discussed in the article.

Spring Security WebSecurityConfigurerAdapter Deprecated …” description=”Guide to fix the warning message “The type WebSecurityConfigurerAdapter is deprecated” in a Spring Boot application using Spring Security.”]