diff --git a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java index 65608e11..c7fa7cca 100644 --- a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java +++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java @@ -5,6 +5,7 @@ import lombok.RequiredArgsConstructor; import org.raddatz.familienarchiv.service.CustomUserDetailsService; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.env.Environment; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -19,6 +20,7 @@ import org.springframework.security.web.SecurityFilterChain; public class SecurityConfig { private final CustomUserDetailsService userDetailsService; + private final Environment environment; @Bean public PasswordEncoder passwordEncoder() { @@ -43,11 +45,17 @@ public class SecurityConfig { // cookie-based sessions, CSRF protection must be re-enabled. .csrf(csrf -> csrf.disable()) - .authorizeHttpRequests(auth -> auth - // Wir sperren jetzt ALLES. Nur eingeloggte User dürfen irgendwas. - .anyRequest().authenticated() - - ) + .authorizeHttpRequests(auth -> { + // In dev, allow unauthenticated access to the OpenAPI spec and Swagger UI + if (environment.matchesProfiles("dev")) { + auth.requestMatchers( + "/v3/api-docs/**", + "/swagger-ui/**", + "/swagger-ui.html" + ).permitAll(); + } + auth.anyRequest().authenticated(); + }) // erlaubt pdf im Iframe .headers(headers -> headers .frameOptions(frameOptions -> frameOptions.sameOrigin()))