CODEWITHSUNDEEP
spring-booth2
TAB
TAB

Reputation: 2134

H2-Console is not showing in browser

I am working on SpringBoot api and using H2 database with following property settings. 

spring.h2.console.enabled=true
spring.datasource.name=test
spring.datasource.username=sa
spring.datasource.password=
spring.datasource.driver-class-name=org.h2.Driver
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.datasource.initialization-mode = embedded
spring.datasource.url=jdbc:h2:mem:test
spring.jpa.hibernate.ddl-auto = update

When I want to use browser to view the H2 database console through 'http://localhost:8082/h2-console', a screen open in browser with connect and test connection button. When I click on Test Connection, it returns successful but when click on Connect button, error comes that localhost refused to connect.

Here is the screen of that error

Upvotes: 79

Views: 70844

Answers (7)

Mehdi Rahimi
Mehdi Rahimi

Reputation: 2536

For Spring Boot version 3+ (Spring security version 6+) use this SecurityFilterChain bean in a configuration class:

@Configuration
public class ProjectConfig {
    @Bean
    public SecurityFilterChain chain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .csrf(AbstractHttpConfigurer::disable)
                .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));

        return httpSecurity.build();
    }
}

Disabling header for frameOptions is not a good way to pass it. Just let the same origin to use this feature.

Upvotes: 1

searching9x
searching9x

Reputation: 1605

This is my solution with Kotlin Spring:

@Bean
@Throws(Exception::class)
fun filterChain(httpSecurity: HttpSecurity): SecurityFilterChain {
    return httpSecurity //
        .csrf { obj: CsrfConfigurer<HttpSecurity> -> obj.disable() } //
        .cors { obj: CorsConfigurer<HttpSecurity> -> obj.disable() } //
        .headers { obj: HeadersConfigurer<HttpSecurity> ->
            obj.frameOptions { obj1 ->
                obj1.disable()
            }
        } //
        .authorizeHttpRequests(
            Customizer { auth ->
                auth.anyRequest().permitAll()
            } //
        ) // 
        .build()
}

Upvotes: 0

Thushan
Thushan

Reputation: 61

For Spring Boot 3+ and Spring Security 6, add following lines into your SecurityFilterChain Bean. The newer versions of Spring security heavily use lambda expressions for configurations. The following lines use method references in Java 8+.

.csrf(AbstractHttpConfigurer::disable)
.headers(httpSecurityHeadersConfigurer -> {
    httpSecurityHeadersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable);
 })

The above code without method reference is as follows.

.csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable())
.headers(httpSecurityHeadersConfigurer -> {
     httpSecurityHeadersConfigurer.frameOptions(frameOptionsConfig -> {
                    frameOptionsConfig.disable();
     });
})

However besides the above code, you need to properly configure the h2 database, enable h2-console in the application.properties file and permit the access to the h2-console like below within the SecurityFilterChain Bean.

.authorizeHttpRequests(registry -> {
  registry.requestMatchers("/console/**").permitAll();
})

Upvotes: 6

Odwori
Odwori

Reputation: 1820

add this two lines in your spring security file and you are good to go.

    http.csrf().disable();
    http.headers().frameOptions().disable();

Upvotes: 85

sankha
sankha

Reputation: 263

By default Spring Security disables rendering within an iframe because allowing a webpage to be added to a frame can be a security issue, for example Clickjacking. Since H2 console runs within a frame so while Spring security is enabled, frame options has to be disabled explicitly, in order to get the H2 console working.

http.headers().frameOptions().disable();

In general there are two possible directives for X-Frame-Options, which are DENY or SAMEORIGIN, so the following configuration can also be used for restricted but secured access.

headers().frameOptions().sameOrigin();

This allows the page to be displayed in a frame on the same origin as the page itself

Upvotes: 25

Ishwor Upreti
Ishwor Upreti

Reputation: 9

Added following line one application.properties

spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect

spring.h2.console.enabled=true

And also added following on pom.xml

<build>
  <plugins>
    <plugin>
      <configuration>
        <jdbc>
          <driver>org.h2.Driver</driver>
          <url>jdbc:h2:~/test</url>
        </jdbc>
      </configuration>
    </plugin>
  </plugins>
<build>

Upvotes: 0

Amit
Amit

Reputation: 2715

Apart from @Alien's response, I had to add http.csrf().disable(); also.

Upvotes: 4

Related Questions