Only enable security config for h2-console when property is set

2018-04-10 11:31:51 +02:00 · 2018-04-10 11:31:51 +02:00 · 8ff2ebdf5e
parent 7e9b018d7e
commit 8ff2ebdf5e
2 changed files with 15 additions and 6 deletions
--- a/src/main/java/io/spring/api/security/WebSecurityConfig.java
+++ b/src/main/java/io/spring/api/security/WebSecurityConfig.java
@ -1,5 +1,6 @@
 package io.spring.api.security;

+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -18,6 +19,10 @@ import static java.util.Arrays.asList;
@Configuration
@EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Value("${spring.h2.console.enabled:false}")
+    private boolean h2ConsoleEnabled;
+
    @Bean
    public JwtTokenFilter jwtTokenFilter() {
        return new JwtTokenFilter();
@ -25,6 +30,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
+
+        if (h2ConsoleEnabled)
+            http.authorizeRequests()
+                .antMatchers("/h2-console", "/h2-console/**").permitAll()
+                .and()
+                .headers().frameOptions().sameOrigin();
+
        http.csrf().disable()
            .cors()
            .and()
@ -36,11 +48,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
            .antMatchers(HttpMethod.GET, "/articles/feed").authenticated()
            .antMatchers(HttpMethod.POST, "/users", "/users/login").permitAll()
            .antMatchers(HttpMethod.GET, "/articles/**", "/profiles/**", "/tags").permitAll()
-            .antMatchers("/h2-console", "/h2-console/**")
-            .permitAll()
-            .anyRequest().authenticated()
-            .and()
-            .headers().frameOptions().sameOrigin();
+            .anyRequest().authenticated();

        http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -5,4 +5,5 @@ jwt.sessionTime=86400
 mybatis.config-location=classpath:mybatis-config.xml
 mybatis.mapper-locations=mapper/*.xml
 logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG
-spring.h2.console.enabled=true
+# Uncomment the following line to enable and allow access to the h2-console
+#spring.h2.console.enabled=true