search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.78k stars 5.89k forks source link

`antMatchers("/h2-console/**")` works well with security 5.3.6 while doesn't with security 5.7.5 #12321

Closed liyi93319 closed 1 year ago

liyi93319 commented 1 year ago

Describe the bug I'm trying to secure the access to "/h2-console/**", the same code works well with spring boot 2.3.7 (security 5.3.6) while it doesn't work with spring boot 2.7.6 (security 5.7.5).

To Reproduce Steps to reproduce the behavior.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
        .antMatchers("/h2-console/**").authenticated()
        .anyRequest().authenticated()
        .and().formLogin()
        .and().csrf().ignoringAntMatchers("/h2-console/**")
        .and().headers().frameOptions().sameOrigin();
    }

Expected behavior

I'm allowed to see the "h2-console" login page. When I click the "connect" button with correct configuration, I'm allowed to access h2-console.

Actual result

I'm allowed to access h2-console with spring boot 2.3.7 (security 5.3.6) while I just get the Whitelabel Error Page (404) with spring boot 2.7.6 (security 5.7.5).

jzheaux commented 1 year ago

@liyi93319 thanks for reaching out.

It's not clear to me what you mean that it "works well" on one version but not another. Will you please update your description to include what errors or unwanted behavior you are seeing?

liyi93319 commented 1 year ago

Thanks for reminder. updated

jzheaux commented 1 year ago

What request is giving a 404? If it is /h2-console that is one issue, if it is the login page itself, that may be another.

Also, I wonder if it would be quicker for you to post a minimal Spring Boot sample that reproduces the issue, ideally something that can be downloaded or cloned.

marcusdacoregio commented 1 year ago

Might be related to https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026

liyi93319 commented 1 year ago

What request is giving a 404? If it is /h2-console that is one issue, if it is the login page itself, that may be another.

Also, I wonder if it would be quicker for you to post a minimal Spring Boot sample that reproduces the issue, ideally something that can be downloaded or cloned.

access to H2 console login page causes 404

here is the sample code

login-daoauthenticationprovider.zip

marcusdacoregio commented 1 year ago

@liyi93319, did you enabled the H2 console?

spring.h2.console.enabled=true

spring-projects-issues commented 1 year ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues commented 1 year ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

RufusWein commented 1 year ago

I had same issue (Spring Boot 2.5.3 & Security 5.3.6) and solve this way:

spring.h2.console.path=/h2

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
            .antMatchers("/h2/**");
    }

I hope I can help you,

regards