From b6280d4fe51dd2b47b7e068119b66e37e0346cb0 Mon Sep 17 00:00:00 2001
From: Alex Prudencio <alex@primefactorsolutions.com>
Date: Tue, 6 Aug 2024 23:01:45 -0400
Subject: [PATCH] fix h2-console

---
 .../primefactorsolutions/config/SecurityConfig.java  | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/primefactorsolutions/config/SecurityConfig.java b/src/main/java/com/primefactorsolutions/config/SecurityConfig.java
index a154390..5abe3a0 100644
--- a/src/main/java/com/primefactorsolutions/config/SecurityConfig.java
+++ b/src/main/java/com/primefactorsolutions/config/SecurityConfig.java
@@ -6,8 +6,10 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.config.ldap.LdapBindAuthenticationManagerFactory;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -19,8 +21,14 @@ public class SecurityConfig extends VaadinWebSecurity {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.authorizeHttpRequests(auth ->
-                auth.requestMatchers(
-                        AntPathRequestMatcher.antMatcher(HttpMethod.GET, "/images/*.png")).permitAll());
+                auth
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")).permitAll()
+                        .requestMatchers(
+                            AntPathRequestMatcher.antMatcher(HttpMethod.GET, "/images/*.png")).permitAll())
+                .headers(headers -> headers.frameOptions(frameOptionsConfig -> {
+                    //no-op
+                }).disable())
+                .csrf(csrf -> csrf.ignoringRequestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")));
         super.configure(http);
         setLoginView(http, LoginView.class);
     }