Spring Security Day 2: Using the H2 Database Console in Spring Boot with Spring Security

Spring Security Day 2: Using the H2 Database Console in Spring Boot with Spring Security



When developing Spring based applications, you will use the H2 in memory database during your development process.
Advantages
(1) light (2) fast (3) easy to use.
With H2, your database is created by Hibernate every time you start the application.
H2 ships with a web based database console, which you can use while your application is under development.
Use the following maven dependency in pom.xml to enable H2 in spring boot

   com.h2database
   h2
   runtime

Spring Security

If you’ve enabled Spring Security in your Spring Boot application, you will not be able to access the H2 database console. With its default settings under Spring Boot, Spring Security will block access to H2 database console.
To enable access to the H2 database console under Spring Security you need to change three things:
  • Allow all access to the url path /console/*.
  • Disable CRSF (Cross-Site Request Forgery). By default, Spring Security will protect against CRSF attacks.
  • Since the H2 database console runs inside a frame, you need to enable this in in Spring Security
package com.mob.sight.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin")
                    .password(passwordEncoder()
                            .encode("password"))
                                .roles("ADMIN")
                                    .authorities("ACCESS_TEST1", "ACCESS_TEST2", "ROLE_ADMIN")
                .and()
                .withUser("user").password(passwordEncoder().encode("password")).roles("USER")
                .and()
                .withUser("manager").password(passwordEncoder().encode("password")).roles("MANAGER")
                .authorities("ACCESS_TEST1", "ROLE_MANAGER");

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/index.html").permitAll              .antMatchers("/console/**").permitAll()
                .antMatchers("/profile/index").authenticated()
                .antMatchers("/admin/index").hasRole("ADMIN")
                .antMatchers("/management/index").hasAnyRole("ADMIN", "MANAGER")
                .antMatchers("/api/public/test1").hasAuthority("ACCESS_TEST1")
                .antMatchers("/api/public/test2").hasAuthority("ACCESS_TEST2")
                .antMatchers("/api/public/users").hasRole("ADMIN")
                .and()
                .httpBasic();

        http.csrf().disable();
        http.headers().frameOptions().disable();
    }

    @Bean
    PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}
Since I have SSL enabled and listening to port 9443, H2 console URL is as follows
H2_Console
After Login
H2_Console_after_login

Hope this helps ðŸ™‚


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 Python Basics How to check the version of Python interpreter mac terminal

Popular in last 30 days