I am working on SpringBoot api and using H2 database with following property settings.

spring.h2.console.enabled=true
spring.datasource.name=test
spring.datasource.username=sa
spring.datasource.password=
spring.datasource.driver-class-name=org.h2.Driver
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.datasource.initialization-mode = embedded
spring.datasource.url=jdbc:h2:mem:test
spring.jpa.hibernate.ddl-auto = update

When I want to use browser to view the H2 database console through 'http://localhost:8082/h2-console', a screen open in browser with connect and test connection button. When I click on Test Connection, it returns successful but when click on Connect button, error comes that localhost refused to connect.

add this two lines in your spring security file and you are good to go.

    http.csrf().disable();
    http.headers().frameOptions().disable();

By default Spring Security disables rendering within an iframe because allowing a webpage to be added to a frame can be a security issue, for example Clickjacking. Since H2 console runs within a frame so while Spring security is enabled, frame options has to be disabled explicitly, in order to get the H2 console working.

http.headers().frameOptions().disable();

In general there are two possible directives for X-Frame-Options, which are DENY or SAMEORIGIN, so the following configuration can also be used for restricted but secured access.

headers().frameOptions().sameOrigin();

This allows the page to be displayed in a frame on the same origin as the page itself

Apart from @Alien's response, I had to add http.csrf().disable(); also.

For Spring Boot 3+ and Spring Security 6, add following lines into your SecurityFilterChain Bean. The newer versions of Spring security heavily use lambda expressions for configurations. The following lines use method references in Java 8+.

.csrf(AbstractHttpConfigurer::disable)
.headers(httpSecurityHeadersConfigurer -> {
    httpSecurityHeadersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable);
 })

The above code without method reference is as follows.

.csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable())
.headers(httpSecurityHeadersConfigurer -> {
     httpSecurityHeadersConfigurer.frameOptions(frameOptionsConfig -> {
                    frameOptionsConfig.disable();
     });
})

However besides the above code, you need to properly configure the h2 database, enable h2-console in the application.properties file and permit the access to the h2-console like below within the SecurityFilterChain Bean.

.authorizeHttpRequests(registry -> {
  registry.requestMatchers("/console/**").permitAll();
})

Added following line one application.properties

spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect

spring.h2.console.enabled=true

And also added following on pom.xml

<build>
  <plugins>
    <plugin>
      <configuration>
        <jdbc>
          <driver>org.h2.Driver</driver>
          <url>jdbc:h2:~/test</url>
        </jdbc>
      </configuration>
    </plugin>
  </plugins>
<build>

This is my solution with Kotlin Spring:

@Bean
@Throws(Exception::class)
fun filterChain(httpSecurity: HttpSecurity): SecurityFilterChain {
    return httpSecurity //
        .csrf { obj: CsrfConfigurer<HttpSecurity> -> obj.disable() } //
        .cors { obj: CorsConfigurer<HttpSecurity> -> obj.disable() } //
        .headers { obj: HeadersConfigurer<HttpSecurity> ->
            obj.frameOptions { obj1 ->
                obj1.disable()
            }
        } //
        .authorizeHttpRequests(
            Customizer { auth ->
                auth.anyRequest().permitAll()
            } //
        ) // 
        .build()
}