The Problem:
Migrating to Spring Security version 6 introduces the use of SecurityFilterChain
instead of WebSecurityConfigurerAdapter
. Documentation and online resources provide conflicting information on how to configure authorization rules using request matchers like antMatchers
, mvcMatchers
, and requestMatchers
. As a result, access to the h2-console becomes inaccessible when using AntPathRequestMatcher
in the SecurityFilterChain
configuration.
The Solutions:
Solution 1: Disable CSRF and set X-Frame-Options
To access the H2 console in a secured Spring Security application, you need to disable CSRF protection and set the X-Frame-Options
header to SAMEORIGIN
on responses from the console.
Here’s how you can achieve this in your SecurityFilterChain
configuration:
<!– language: java –>
@Profile("dev")
@Configuration(proxyBeanMethods = false)
public class DevProfileSecurityConfiguration {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher(PathRequest.toH2Console())
.authorizeHttpRequests(yourCustomAuthorization())
.csrf(csrf -> csrf.disable())
.headers(headers -> headers.frameOptions().sameOrigin());
return http.build();
}
}
This configuration creates a separate SecurityFilterChain
for requests to the H2 console (/h2-console/**
) and disables CSRF protection and sets the X-Frame-Options
header appropriately.
Solution 2: Fixing `h2-console` Access
To resolve the issue where the `h2-console` is inaccessible, you need to include the following lines within the `SecurityFilterChain` bean:
http
.authorizeHttpRequests()
.requestMatchers(new AntPathRequestMatcher("/"), new AntPathRequestMatcher("/console/**"), new AntPathRequestMatcher("/h2-console/**")).permitAll();
These lines allow access to the specified paths (root, console, and h2-console) without authentication.
Solution 3: Use the new requestMatchers with lambda expression
In the previous versions of Spring Security, we used antMatchers
and mvcMatchers
for URL matching. However, in Spring Security 6, these methods are deprecated. To match URLs in Spring Security 6, we should use the requestMatchers
method with a lambda expression.
In your example, you can use the following code to match the URL pattern /h2-console/**
:
import static org.springframework.security.config.Customizer.withDefaults;
...
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.requestMatchers(requestMatchers -> requestMatchers
.antMatchers("/h2-console/**"))
.permitAll()
.and()
...
.httpBasic();
return http.build();
}
The requestMatchers
method takes a lambda expression as an argument. Inside the lambda expression, you can specify the URL patterns you want to match. In this case, the antMatchers
method is used to match the URL pattern /h2-console/**
. The permitAll
method is used to allow access to the matched URL patterns without authentication.
Q&A
We used to work with WebSecurityConfigurerAdapter
and everything worked fine, now we have to use SecurityFilterChain
instead.
Here is the answer
What version of Spring Boot and Spring Security did you use?
Spring Boot: 3.0.6 & Spring Security: 6.0.3
What are the depreciated methods in http.authorizeRequests()
?
antMatchers, mvcMatchers
Video Explanation:
The following video, titled "”[Fixed", provides additional insights and in-depth exploration related to the topics discussed in this post.
This video provides further insights and detailed explanations related to the content discussed in the article.