Spring Security antMatchers("/h2-console/**") works well with security 5.3.6 while doesn't with security 5.7.5

Describe the bug I'm trying to secure the access to "/h2-console/**", the same code works well with spring boot 2.3.7 (security 5.3.6) while it doesn't work with spring boot 2.7.6 (security 5.7.5).

To Reproduce Steps to reproduce the behavior.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
        .antMatchers("/h2-console/**").authenticated()
        .anyRequest().authenticated()
        .and().formLogin()
        .and().csrf().ignoringAntMatchers("/h2-console/**")
        .and().headers().frameOptions().sameOrigin();
    }

Expected behavior

I'm allowed to see the "h2-console" login page. When I click the "connect" button with correct configuration, I'm allowed to access h2-console.

Actual result

I'm allowed to access h2-console with spring boot 2.3.7 (security 5.3.6) while I just get the Whitelabel Error Page (404) with spring boot 2.7.6 (security 5.7.5).

Comment From: jzheaux

@liyi93319 thanks for reaching out.

It's not clear to me what you mean that it "works well" on one version but not another. Will you please update your description to include what errors or unwanted behavior you are seeing?

Comment From: liyi93319

Thanks for reminder. updated

Comment From: jzheaux

What request is giving a 404? If it is /h2-console that is one issue, if it is the login page itself, that may be another.

Also, I wonder if it would be quicker for you to post a minimal Spring Boot sample that reproduces the issue, ideally something that can be downloaded or cloned.

Comment From: marcusdacoregio

Might be related to https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026

Comment From: liyi93319

What request is giving a 404? If it is /h2-console that is one issue, if it is the login page itself, that may be another.

Also, I wonder if it would be quicker for you to post a minimal Spring Boot sample that reproduces the issue, ideally something that can be downloaded or cloned.

access to H2 console login page causes 404

here is the sample code

login-daoauthenticationprovider.zip

Comment From: marcusdacoregio

@liyi93319, did you enabled the H2 console?

spring.h2.console.enabled=true

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

Comment From: RufusWein

I had same issue (Spring Boot 2.5.3 & Security 5.3.6) and solve this way:

spring.h2.console.path=/h2

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
            .antMatchers("/h2/**");
    }

I hope I can help you,

regards