Hello.
Your problem is not related with H2 and is not related with your web
server. The problem is in CommonsRequestLoggingFilter from the Spring or in
its configuration. Why it logs requests to H2 Console? You need to exclude
H2 Console URLs and possibly other unrelated URLs for that filter. H2
Console passes passwords as POST parameters just like the most of other web
applications, just don't log them.
>From the security perspective you shouldn't use H2 Console launched from
third-party libraries. It would be much safer to configure it by yourself
in the secure way with appropriate security constraints or at least add
additional security constraints. H2 Console needs protection from
unauthorized users, especially in old versions of H2. Normally you should
create user(s) on your web server (see its documentation for details) and a
role, and configure access only to users that have that role:
<security-constraint>
<web-resource-collection>
<web-resource-name>H2 Console</web-resource-name>
<url-pattern>/h2-console</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/h2-database/4a50ccce-7ce4-469b-ad63-6408ce513090n%40googlegroups.com.
