Spring-boot: h2-console improperly protected with CSRF when Spring Security is on the classpath

Created on 12 Aug 2015 · 9Comments · Source: spring-projects/spring-boot

Spring Boot version: 1.3.0.M3
H2, Spring Security, and DevTools are all in the POM.

No special Spring Security config other than an in-memory auth provider.

When I go to /h2-console, I'm able to see the connection config screen. However, when fill in the info and click Test, I receive the error message:

There was an unexpected error (type=Forbidden, status=403).
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

If possible, the H2 console autoconfig should add a CSRF rule to Spring Security config for whatever servlet path it is configured to use (/h2-console or otherwise).

Source

alexhutnik

Most helpful comment

Does setting up my own web security config override all other "out of the box" security auto-configuration?

That depends on two things:

The @Order of your WebSecurityConfigurerAdapter
The paths that you've applied your security configuration to

You need to either ensure that your WebSecurityConfigurerAdapter has a higher order (lower precedence) than H2ConsoleSecurityConfigurer (it uses SecurityProperties.BASIC_AUTH_ORDER - 10) or you need avoid applying any configuration to the console's path (/h2-console/** by default).

wilkinsona on 13 Aug 2015

👍2 😄1

All 9 comments

That should already happen. I wonder if you're being affected by #3726. Have you explicitly set spring.h2.console.enabled=true? Sadly, the auto-configuration won't kick in without it at the moment.

wilkinsona on 12 Aug 2015

I have added that to the properties file and am still experiencing the issue. Using Google Chrome if that helps.

alexhutnik on 12 Aug 2015

It works for me with Chrome (and Safari), both on OS X. I just double-checked using the Actuator sample. What does your auto-configuration report say (run with --debug). You should see the following listed in the positive matches:

      - @ConditionalOnClass classes found: org.h2.server.web.WebServlet (OnClassCondition)
      - found web application StandardServletEnvironment (OnWebApplicationCondition)
      - matched (OnPropertyCondition)

   H2ConsoleAutoConfiguration.H2ConsoleSecurityConfiguration
      - @ConditionalOnClass classes found: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter (OnClassCondition)
      - matched (OnPropertyCondition)
      - @ConditionalOnBean (types: org.springframework.security.config.annotation.ObjectPostProcessor; SearchStrategy: all) found the following [objectPostProcessor] (OnBeanCondition)

Perhaps you've switched of basic auth (set security.basic.enabled to false)? If so, you'll need to provide your own security configuration for the H2 console.

wilkinsona on 12 Aug 2015

Yup the debug output looks like what I have here locally. I did notice this:

Skipped (empty) config file 'classpath:/application.properties' for profile default

So perhaps it is not reading the correct setting?

alexhutnik on 12 Aug 2015

That log output is expected (although a little misleading), and I see the same when the console works.

There's clearly something different in your setup that you haven't described. If you'd like me to continue trying to help please provide a small sample that reproduces the problem.

wilkinsona on 12 Aug 2015

Certainly. Thank you for your help. I have not yet ruled out something amiss with this workstation. I will try to recreate on a different machine with a simple app I can demonstrate the issue with.

alexhutnik on 12 Aug 2015

I seem to have narrowed it down to happening when I use my own WebSecurityConfigurerAdapter (for the in-memory auth provider I mention above). Does setting up my own web security config override all other "out of the box" security auto-configuration?

alexhutnik on 12 Aug 2015

👍1