http
.csrf()
/**
- * The Facebook-Canvas does not send a proper CSRF-token in its
- * POST-requests. Hence, this feature has to be disabled for all
- * pages, that receive an initial call from the Facebook-Canvas.
+ * Neither the Facebook-Canvas nor the H2-console does send a proper
+ * CSRF-token in its POST-requests. Hence, this feature has to be
+ * disabled for this pages.
*/
- .ignoringAntMatchers("/canvas/*")
+ .ignoringAntMatchers("/canvas/*", "/h2-console/*")
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)