hohwille
commented
5 years ago @jdiazgon thank you so much for your feedback and investigation. Disabling security features for the sake of accessing some h2 feature is somewhat odd however. We IMHO need at least to find a way how to configure these "disabling" only for the h2 URLs. Still I do not like such tweaks in productive code. Great that you just added it as comment. However, there is a high risk that people using it may accidentally commit such change and break the security. Therefore we still need to find a safer and more elegant way. Anyhow, thank you very much as you help us to guide the way to the "perfect solution".
This pull requests addresses #689.
When enabling spring-security, the H2 database console will be blocked with 403 error, making it impossible to use it. This Pull Request provides a way to fix this issue.
Unfortunately, the drawback is that for using the H2 console you need to disable
csrfauthentication. That is why I decided to comment those lines, so that the user decides when to enable the console.