From dbf875ca7c2cb7ea54dee8e4a62f5fc05def802d Mon Sep 17 00:00:00 2001
From: Bogdan Kostov <kostobog@fel.cvut.cz>
Date: Thu, 16 May 2024 12:14:36 +0200
Subject: [PATCH 1/2] Fix security config for sameSite cookieAttribute - skip
 configuration if parameter sameSite not set and print a debug message

---
 .../cz/cvut/kbss/analysis/security/AuthenticationSuccess.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java b/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java
index 24c97c39..fea1946e 100644
--- a/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java
+++ b/src/main/java/cz/cvut/kbss/analysis/security/AuthenticationSuccess.java
@@ -88,6 +88,10 @@ private void addSameSiteCookieAttribute(HttpServletResponse response) {
         String configValue = config.getConfig(ConfigParam.SECURITY_SAME_SITE, "");
 
         log.debug("SameSite attribute for set-cookie header configured to {}.", configValue);
+        if (configValue.isBlank()) {
+            log.debug("SameSite attribute for set-cookie header not configured.");
+            return;
+        }
 
         SameSiteValue sameSiteValue = SameSiteValue.getValue(configValue)
                 .orElseThrow(

From 375031b31790fd331cc0028b589f040ef98f2aac Mon Sep 17 00:00:00 2001
From: Bogdan Kostov <kostobog@fel.cvut.cz>
Date: Fri, 17 May 2024 10:54:24 +0200
Subject: [PATCH 2/2] Fix security filter

---
 .../java/cz/cvut/kbss/analysis/config/SecurityConfig.java  | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java
index b6817e8e..7abaab41 100755
--- a/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java
+++ b/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java
@@ -87,8 +87,11 @@ public SecurityFilterChain filterChain(HttpSecurity http, SecurityConf config, U
         final AuthenticationManager authManager = buildAuthenticationManager(http);
         http.authorizeHttpRequests(auth ->
                         auth.requestMatchers("/rest/users/impersonate").
-                                hasAuthority(SecurityConstants.ROLE_ADMIN).
-                                anyRequest().permitAll())
+                                hasAuthority(SecurityConstants.ROLE_ADMIN)
+                            .requestMatchers("/auth/*").permitAll()
+                            .requestMatchers("/").permitAll()
+                            .requestMatchers("/**").hasAuthority(SecurityConstants.ROLE_USER)
+                )
                 .cors(auth -> auth.configurationSource(corsConfigurationSource(config)))
                 .csrf(AbstractHttpConfigurer::disable)
                 .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)