Spring Security & Kotlin Dsl for HttpSecurity - Cannot permit h2-console

Question

I am using spring boot and security with kotlin with maven. Here is my SecurityFilterChain

@Bean
fun securityFilterChainDSL(http: HttpSecurity): SecurityFilterChain {
    http {
        cors { disable() }
        csrf { disable() }
        exceptionHandling { authenticationEntryPoint = unauthorizedHandler }
        //httpBasic {}
        authorizeRequests {
            authorize("/api/v1/auth/**", permitAll)
            authorize("/api/v1/swagger/**", permitAll)
            authorize("/swagger**/**", permitAll)
            authorize("/h2-console**/**", permitAll)
            authorize(matches = anyRequest, access = authenticated)
        }
        sessionManagement { sessionCreationPolicy = SessionCreationPolicy.STATELESS }
        headers { frameOptions { disable() } }
        addFilterBefore<UsernamePasswordAuthenticationFilter>(filter = jwtAuthenticationFilter)
    }
    return http.build()
}

I am unable to permit h2 console as follow;

http://localhost:8080/h2-console/login.jsp?jsessionid=3daf979688385fbfb46a7df556f61282

But when i use traditional way :) it works great.

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain =
    http
        .cors { it.disable() }
        .csrf { it.disable() }
        .exceptionHandling {
            it.authenticationEntryPoint(unauthorizedHandler)
        }
        .authorizeHttpRequests {
            it
                .requestMatchers(AntPathRequestMatcher("/api/v1/auth/**")).permitAll()
                .requestMatchers(AntPathRequestMatcher("/api/v1/swagger/**")).permitAll()
                .requestMatchers(AntPathRequestMatcher("/swagger**/**")).permitAll()
                .requestMatchers(AntPathRequestMatcher("/h2-console**/**")).permitAll()
                .anyRequest().authenticated()
        }
        .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
        .headers { it.frameOptions { foc -> foc.disable() } }
        .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter::class.java)
        .build()

I do not see any difference even in the docs.

Answer 1

Ok i figured it out, updated dsl as following for h2-console matcher and worked;

authorize(PathRequest.toH2Console(), permitAll)

full bean definition is;

@Bean
fun securityFilterChainDSL(http: HttpSecurity): SecurityFilterChain {
    http {
        cors { disable() }
        csrf { disable() }
        exceptionHandling { authenticationEntryPoint = unauthorizedHandler }
        //httpBasic {}
        authorizeRequests {
            authorize("/api/v1/auth/**", permitAll)
            authorize("/api/v1/swagger/**", permitAll)
            authorize("/swagger**/**", permitAll)
            //authorize("/h2-console**/**", permitAll) -> NOT WORKING
            authorize(PathRequest.toH2Console(), permitAll)
            authorize(matches = anyRequest, access = authenticated)
        }
        sessionManagement { sessionCreationPolicy = SessionCreationPolicy.STATELESS }
        headers { frameOptions { disable() } }
        addFilterBefore<UsernamePasswordAuthenticationFilter>(filter = jwtAuthenticationFilter)
    }
    return http.build()
}