H2 database console spring boot Load denied by X-Frame-Options

Asked 6/10, 2014 at 15:55 Answered 22/4 at 21:36

I`m building a skeletal project for dev with spring 4 boot security and others. Using H2 while attempting to log into the db console and manage my db i get the following error. The page is blank, with 4 bugs in firebug konsole :

 Load denied by X-Frame-Options: http://localhost:8080/console

With links to

/header.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/query.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/help.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/tables.do?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.

I can test the connection from console level - its ok.
DB works fine, import.sql works fine, i can create user entities withing spring is starting up.

The configuration i am using is from (and it works on spring 3.2 with xml configuration)

spring boot default H2 jdbc connection (and H2 console)

Using : spring-boot-starter-parent 1.1.4.RELEASE

Unswear answered 6/10, 2014 at 15:55 Comment(1)

Added .and().headers() .addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy(Arrays.asList("localhost:8080","http://localhost")))) White page and info to refresh to page to get the source code. – Poach 6/10, 2014 at 20:36

Added the code below to Application.java and for now it works, default on port 8082, starts with spring app. It doesn`t hit the spot but for dev purposes it is all ok.

@Bean
org.h2.tools.Server h2Server() {
    Server server = new Server();
    try {
        server.runTool("-tcp");
        server.runTool("-tcpAllowOthers");
    } catch (Exception e) {
        e.printStackTrace();
    }
    return server;

}

Unswear answered 16/10, 2014 at 5:15 Comment(2)

Nice but is automatically starting h2 in browser on startup, is there a way to avoid it? – Disenthrall 27/8, 2019 at 12:40

I spent 3 hours trying to make it work via Spring Security and could not. This did the trick! – Zoo 18/5, 2020 at 8:5

It's also possible to simplify the answer from @chrosciu with this:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.headers().frameOptions().disable();
  }
}

Hardset answered 7/5, 2015 at 17:46 Comment(1)

Or, more securely, headers().frameOptions().sameOrigin(). – Torchier 30/1, 2018 at 17:41

Added the code below to Application.java and for now it works, default on port 8082, starts with spring app. It doesn`t hit the spot but for dev purposes it is all ok.

@Bean
org.h2.tools.Server h2Server() {
    Server server = new Server();
    try {
        server.runTool("-tcp");
        server.runTool("-tcpAllowOthers");
    } catch (Exception e) {
        e.printStackTrace();
    }
    return server;

}

Unswear answered 16/10, 2014 at 5:15 Comment(2)

Nice but is automatically starting h2 in browser on startup, is there a way to avoid it? – Disenthrall 27/8, 2019 at 12:40

I spent 3 hours trying to make it work via Spring Security and could not. This did the trick! – Zoo 18/5, 2020 at 8:5

This worked for me:

@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().addHeaderWriter(
            new XFrameOptionsHeaderWriter(
                new WhiteListedAllowFromStrategy(Arrays.asList("localhost"))));
    }
}

Of course contents of white list should be adjusted in case when application is running on something different than localhost.

Chieftain answered 24/3, 2015 at 10:26 Comment(2)

Even better solution: http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); This does not require to explicite state host name in secuiryty config – Chieftain 30/3, 2015 at 8:26

Even better: .headers().frameOptions().sameOrigin() – Inebriety 8/2, 2016 at 10:11

With new spring dsl you can use headers method in SecurityFilterChain as below

@Configuration
@EnableWebSecurity
public class SecurityConfiguration  {

  @Bean
  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http.headers(headers -> headers.frameOptions().disable()) //disable frame
        //rest of your configuration
        .csrf( csrf -> csrf.disable())
        .authorizeHttpRequests(
                    authorize -> authorize
                            .requestMatchers(HttpMethod.OPTIONS).permitAll()
                            .requestMatchers(HttpMethod.POST, "/users", "/users/login").permitAll()
                            .requestMatchers(HttpMethod.GET, "/articles/**").permitAll()
                            .anyRequest().permitAll()
            )
          
        return http.build();
  }

Toadflax answered 26/11, 2023 at 6:27 Comment(0)

Most answers are fine but they do mess with the security config for the entire application, not only the H2 console. A better way - assuming a development environment - would therefore be to simply add an exception to the entire security config:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  http
    // exclude H2 requests
    .requestMatcher(
      new NegatedRequestMatcher(new AntPathRequestMatcher("/h2-console/**"))
    )
    // default security config
    .authorizeRequests()
      .anyRequest().authenticated();
}

Crossarm answered 13/3 at 10:8 Comment(0)

You need to add this

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .headers(AbstractHttpConfigurer::disable)
           ...

Fought answered 22/4 at 21:36 Comment(0)

Recommended topics

Hot tags