From 58d1c685bb30d9fbb39f224e5cf6f341c445daa9 Mon Sep 17 00:00:00 2001
From: Kai Volland <volland@terrestris.de>
Date: Mon, 13 May 2024 16:15:15 +0200
Subject: [PATCH] feat: anonymous access to graphql interface

BREAKING CHANGE: anonymous access to graphql interface
---
 .../shogun/config/DefaultWebSecurityConfig.java          | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/shogun-config/src/main/java/de/terrestris/shogun/config/DefaultWebSecurityConfig.java b/shogun-config/src/main/java/de/terrestris/shogun/config/DefaultWebSecurityConfig.java
index f6c9396f..55353539 100644
--- a/shogun-config/src/main/java/de/terrestris/shogun/config/DefaultWebSecurityConfig.java
+++ b/shogun-config/src/main/java/de/terrestris/shogun/config/DefaultWebSecurityConfig.java
@@ -47,8 +47,7 @@ default void customHttpConfiguration(HttpSecurity http) throws Exception {
                     "/graphiql/**"
                 )
                     .permitAll()
-                // Enable anonymous read access to entity endpoints
-                // will be secured via permission evaluators
+                // Enable anonymous read access to entity endpoints (secured via permission evaluators)
                 .requestMatchers(
                     HttpMethod.GET,
                     "/applications",
@@ -61,6 +60,12 @@ default void customHttpConfiguration(HttpSecurity http) throws Exception {
                     "/imagefiles/*"
                 )
                 .permitAll()
+                // Enable anonymous access to graphql (secured via permission evaluators)
+                .requestMatchers(
+                    HttpMethod.POST,
+                    "/graphql"
+                )
+                .permitAll()
                 .requestMatchers(
                     "/actuator/**",
                     "/cache/**",