H2 database console spring boot Load denied by X-Frame-Options

Question

I`m building a skeletal project for dev with spring 4 boot security and others. Using H2 while attempting to log into the db console and manage my db i get the following error. The page is blank, with 4 bugs in firebug konsole :

 Load denied by X-Frame-Options: http://localhost:8080/console

With links to

/header.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/query.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/help.jsp?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.
/tables.do?jsessionid=f71207a702c9177e57208414721bbe93 does not permit framing.

I can test the connection from console level - its ok.
DB works fine, import.sql works fine, i can create user entities withing spring is starting up.

The configuration i am using is from (and it works on spring 3.2 with xml configuration)

spring boot default H2 jdbc connection (and H2 console)

Using : spring-boot-starter-parent 1.1.4.RELEASE

Added .and().headers() .addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy(Arrays.asList("http://localhost:8080","http://localhost")))) White page and info to refresh to page to get the source code. — Piotr 'Kowcio' Kowalski, Oct 06 '14 at 20:36

score 71 · Answer 1 · answered May 07 '15 at 17:46

71

It's also possible to simplify the answer from @chrosciu with this:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.headers().frameOptions().disable();
  }
}

answered May 07 '15 at 17:46

pVilaca

1,508
1
12
18

28

Or, more securely, `headers().frameOptions().sameOrigin()`. – Ruslan Stelmachenko Jan 30 '18 at 17:41

score 8 · Accepted Answer · answered Oct 16 '14 at 05:15

8

Added the code below to Application.java and for now it works, default on port 8082, starts with spring app. It doesn`t hit the spot but for dev purposes it is all ok.

@Bean
org.h2.tools.Server h2Server() {
    Server server = new Server();
    try {
        server.runTool("-tcp");
        server.runTool("-tcpAllowOthers");
    } catch (Exception e) {
        e.printStackTrace();
    }
    return server;

}

answered Oct 16 '14 at 05:15

Piotr 'Kowcio' Kowalski

766
1
8
12

Nice but is automatically starting h2 in browser on startup, is there a way to avoid it? – mattobob Aug 27 '19 at 12:40
I spent 3 hours trying to make it work via Spring Security and could not. This did the trick! – logixplayer May 18 '20 at 08:05

score 3 · Answer 3 · answered Mar 24 '15 at 10:26

3

This worked for me:

@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().addHeaderWriter(
            new XFrameOptionsHeaderWriter(
                new WhiteListedAllowFromStrategy(Arrays.asList("localhost"))));
    }
}

Of course contents of white list should be adjusted in case when application is running on something different than localhost.

answered Mar 24 '15 at 10:26

chrosciu

304
3
9

2

Even better solution: `http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN));` This does not require to explicite state host name in secuiryty config – chrosciu Mar 30 '15 at 08:26
23

Even better: `.headers().frameOptions().sameOrigin()` – Marcel Overdijk Feb 08 '16 at 10:11

H2 database console spring boot Load denied by X-Frame-Options

3 Answers3

Linked