Skip to content

Provide a request matcher for securing the H2 console #11704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philwebb opened this issue Jan 20, 2018 · 6 comments
Closed

Provide a request matcher for securing the H2 console #11704

philwebb opened this issue Jan 20, 2018 · 6 comments
Assignees
@mbhave
Labels
type: enhancement A general enhancement
Milestone
2.0.0.RC1

Comments

@philwebb
Copy link
Member

See #10264 for background.
@philwebb philwebb added this to the 2.0.0.RC1 milestone Jan 20, 2018
@philwebb philwebb mentioned this issue Jan 20, 2018
Closed
@snicoll
Copy link
Member

snicoll commented Jan 22, 2018
edited
Loading

Perhaps we could rename StaticResourceRequest to something a bit more general and have a h2Console option that uses spring.h2.console.path? The implementation should be straightforward considering what we have done for the actuator.

I guess finding a good name would be the most complicated part: that class already sits in the autoconfigure module where we are likely to provide support for "more stuff", so it doesn't strike me as crazy to try to generalize that a bit more.

@philwebb
Copy link
Member Author

Yeah, I think that's not a bad idea. I don't think a H2ResourceReqest makes any sense. The name is indeed going to be the hard part.

@philwebb
Copy link
Member Author

Perhaps something super general like PathRequest.

@mbhave
Copy link
Contributor

mbhave commented Jan 23, 2018

I think if we really want to provide an easy way to add back 1.5 like security for H2, we would need something more than the RequestMatcher. The RequestMatcher only prevents duplication of spring.h2.console.path in the custom WebSecurityConfigurerAdapter but default 1.5 security for H2 was much more involved. I wonder if we can provide a SecurityConfigurer instead.

@mbhave mbhave added the for: team-attention An issue we'd like other members of the team to review label Jan 23, 2018
@philwebb
Copy link
Member Author

I didn't realize it did that much!

I wonder if we can provide a SecurityConfigurer instead

I guess it depends how easy it is to mix that in with existing security concerns. One reason I like the new matchers is it's easy to plug them in at the correct place (not bean ordering etc). In the past Rob talked about using some static helper, perhaps this would be a good candidate for that?

@philwebb philwebb removed the for: team-attention An issue we'd like other members of the team to review label Jan 24, 2018
@mbhave
Copy link
Contributor

mbhave commented Jan 24, 2018

We're going to go with a RequestMatcher

@mbhave mbhave self-assigned this Jan 25, 2018
@mbhave mbhave closed this as completed in e80c22c Jan 30, 2018
@wilkinsona wilkinsona added type: enhancement A general enhancement and removed type: task A general task labels Apr 28, 2020
@wilkinsona wilkinsona changed the title Decide how to deal with H2 console and security Provide a request matcher for securing the H2 console Apr 28, 2020
@wilkinsona wilkinsona mentioned this issue Oct 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbhave mbhave

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.0.0.RC1
Development

No branches or pull requests
4 participants
@snicoll @philwebb @wilkinsona @mbhave