Spring Security Spring Security 6.0 allows me to see the h2-console login page but doesn't allow me to go inside, how do I do?

Describe the bug I'm struggling to access my h2-console under the protection of Spring Security 6.0. almost the same code works with Spring Security 5.7.5 though doesn't work with Spring Security 6.0

To Reproduce Here is the code I tried with Spring Security 6.0

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http
        .authorizeHttpRequests(authorizeRequests -> authorizeRequests
                .requestMatchers("/h2-console/**").authenticated()
                .anyRequest().authenticated()
        )
        .formLogin(formLogin -> formLogin
                .permitAll()
        )
        .csrf(csrf -> csrf
                .ignoringRequestMatchers("/h2-console/**"))
        .headers(headers -> headers
                .frameOptions().sameOrigin());
    return http.build();
}

Expected behavior The code block above is expected to allows access to h2-console, as the code below does

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http
    .authorizeHttpRequests(authorizeRequests -> authorizeRequests
            .antMatchers("/h2-console/**").authenticated()
            .anyRequest().authenticated()
    )
    .formLogin(formLogin -> formLogin
            .permitAll()
    )
    .csrf(csrf -> csrf
            .ignoringAntMatchers("/h2-console/**"))
    .headers(headers -> headers
            .frameOptions().sameOrigin())
    ;
    return http.build();
}

Actual result I can see the h2-console login page though 403 shows up every time I try to go inside by clicking the connect button with.

Comment From: marcusdacoregio

Hi @liyi93319,

I believe this is a duplicate of https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026, can you confirm that?

Comment From: liyi93319

@marcusdacoregio Thanks for your reply. Does it mean antMatcher( "/h2-console/**") is equivalent to

MvcRequestMatcher h2RequestMatcher = new MvcRequestMatcher(introspector, "/**");
h2RequestMatcher.setServletPath("/h2-console");
...
.requestMatchers(h2RequestMatcher)
...

Comment From: marcusdacoregio

Hi @liyi93319.

No, they are not equivalent. One creates an AntPathRequestMatcher and the other creates a MvcRequestMatcher. If you are creating a Spring MVC application it’s recommended that you use mvc matchers.

Comment From: marcusdacoregio

I’m closing this since it appears to be a duplicate.