Merge pull request #97 from kbss-cvut/fix/security

Fix/security

src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java

@@ -87,8 +87,11 @@ public SecurityFilterChain filterChain(HttpSecurity http, SecurityConf config, U
         final AuthenticationManager authManager = buildAuthenticationManager(http);
         http.authorizeHttpRequests(auth ->
                         auth.requestMatchers("/rest/users/impersonate").
-                                hasAuthority(SecurityConstants.ROLE_ADMIN).
-                                anyRequest().permitAll())
+                                hasAuthority(SecurityConstants.ROLE_ADMIN)
+                            .requestMatchers("/auth/*").permitAll()
+                            .requestMatchers("/").permitAll()
+                            .requestMatchers("/**").hasAuthority(SecurityConstants.ROLE_USER)
+                )
                 .cors(auth -> auth.configurationSource(corsConfigurationSource(config)))
                 .csrf(AbstractHttpConfigurer::disable)
                 .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)

src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java

@@ -88,6 +88,10 @@ private void addSameSiteCookieAttribute(HttpServletResponse response) {
         String configValue = config.getConfig(ConfigParam.SECURITY_SAME_SITE, "");
 
         log.debug("SameSite attribute for set-cookie header configured to {}.", configValue);
+        if (configValue.isBlank()) {
+            log.debug("SameSite attribute for set-cookie header not configured.");
+            return;
+        }
 
         SameSiteValue sameSiteValue = SameSiteValue.getValue(configValue)
                 .orElseThrow(