diff --git a/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java index b6817e8e..7abaab41 100755 --- a/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java +++ b/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java @@ -87,8 +87,11 @@ public SecurityFilterChain filterChain(HttpSecurity http, SecurityConf config, U final AuthenticationManager authManager = buildAuthenticationManager(http); http.authorizeHttpRequests(auth -> auth.requestMatchers("/rest/users/impersonate"). - hasAuthority(SecurityConstants.ROLE_ADMIN). - anyRequest().permitAll()) + hasAuthority(SecurityConstants.ROLE_ADMIN) + .requestMatchers("/auth/*").permitAll() + .requestMatchers("/").permitAll() + .requestMatchers("/**").hasAuthority(SecurityConstants.ROLE_USER) + ) .cors(auth -> auth.configurationSource(corsConfigurationSource(config))) .csrf(AbstractHttpConfigurer::disable) .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) diff --git a/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java b/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java index 24c97c39..fea1946e 100644 --- a/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java +++ b/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java @@ -88,6 +88,10 @@ private void addSameSiteCookieAttribute(HttpServletResponse response) { String configValue = config.getConfig(ConfigParam.SECURITY_SAME_SITE, ""); log.debug("SameSite attribute for set-cookie header configured to {}.", configValue); + if (configValue.isBlank()) { + log.debug("SameSite attribute for set-cookie header not configured."); + return; + } SameSiteValue sameSiteValue = SameSiteValue.getValue(configValue) .orElseThrow(