Merge pull request #6 from darioseidl/master

Prevent ArrayIndexOutOfBoundsException in JwtTokenFilter.getTokenString

src/main/java/io/spring/api/security/JwtTokenFilter.java

@@ -48,10 +48,15 @@ public class JwtTokenFilter extends OncePerRequestFilter {
     }
 
     private Optional<String> getTokenString(String header) {
-        if (header == null || header.split("").length < 2) {
+        if (header == null) {
             return Optional.empty();
         } else {
-            return Optional.ofNullable(header.split(" ")[1]);
+            String[] split = header.split(" ");
+            if (split.length < 2) {
+                return Optional.empty();
+            } else {
+                return Optional.ofNullable(split[1]);
+            }
         }
     }
 }

src/main/java/io/spring/api/security/WebSecurityConfig.java

@@ -1,5 +1,6 @@
 package io.spring.api.security;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -18,6 +19,10 @@ import static java.util.Arrays.asList;
 @Configuration
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Value("${spring.h2.console.enabled:false}")
+    private boolean h2ConsoleEnabled;
+
     @Bean
     public JwtTokenFilter jwtTokenFilter() {
         return new JwtTokenFilter();
@@ -25,6 +30,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+
+        if (h2ConsoleEnabled)
+            http.authorizeRequests()
+                .antMatchers("/h2-console", "/h2-console/**").permitAll()
+                .and()
+                .headers().frameOptions().sameOrigin();
+
         http.csrf().disable()
             .cors()
             .and()

src/main/resources/application.properties

@@ -4,4 +4,6 @@ jwt.secret=nRvyYC4soFxBdZ-F-5Nnzz5USXstR1YylsTd-mA0aKtI9HUlriGrtkf-TiuDapkLiUCog
 jwt.sessionTime=86400
 mybatis.config-location=classpath:mybatis-config.xml
 mybatis.mapper-locations=mapper/*.xml
-logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG
+logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG
+# Uncomment the following line to enable and allow access to the h2-console
+#spring.h2.console.enabled=true