From 5844ddcd5ff39f667bdf9703a5ed1955127dc211 Mon Sep 17 00:00:00 2001
From: pabloFuente <pablofuenteperez@gmail.com>
Date: Wed, 4 Jul 2018 11:24:32 +0200
Subject: [PATCH] openvidu-server: HTTP REST security rules updated

---
 .../server/config/SecurityConfig.java         | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
index 33ad619c..0979d0b4 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
@@ -37,18 +37,25 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 		// Security for API REST
 		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry conf = http.cors().and()
-				.csrf().disable().authorizeRequests().antMatchers(HttpMethod.POST, "/api/sessions").authenticated()
-				.antMatchers(HttpMethod.POST, "/api/sessions/**").authenticated()
+				.csrf().disable().authorizeRequests()
+				// /api/sessions
 				.antMatchers(HttpMethod.GET, "/api/sessions").authenticated()
 				.antMatchers(HttpMethod.GET, "/api/sessions/**").authenticated()
+				.antMatchers(HttpMethod.POST, "/api/sessions").authenticated()
+				.antMatchers(HttpMethod.POST, "/api/sessions/**").authenticated()
+				// /api/tokens
 				.antMatchers(HttpMethod.POST, "/api/tokens").authenticated()
-				.antMatchers(HttpMethod.POST, "/api/recordings/start").authenticated()
-				.antMatchers(HttpMethod.POST, "/api/recordings/stop").authenticated()
+				// /api/recordings
 				.antMatchers(HttpMethod.GET, "/api/recordings").authenticated()
 				.antMatchers(HttpMethod.GET, "/api/recordings/**").authenticated()
+				.antMatchers(HttpMethod.POST, "/api/recordings/start").authenticated()
+				.antMatchers(HttpMethod.POST, "/api/recordings/stop").authenticated()
 				.antMatchers(HttpMethod.DELETE, "/api/recordings/**").authenticated()
-				.antMatchers(HttpMethod.GET, "/config/openvidu-publicurl").anonymous()
-				.antMatchers(HttpMethod.GET, "/config/**").authenticated();
+				// /api/config
+				.antMatchers(HttpMethod.GET, "/config/openvidu-publicurl").permitAll()
+				.antMatchers(HttpMethod.GET, "/config/**").authenticated()
+				// Dashboard
+				.antMatchers("/").authenticated();
 
 		// Security for layouts
 		conf.antMatchers("/layouts/*").authenticated();