From c2062a668e3b0b9ca93969bb925f2614f5820e03 Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Thu, 10 Nov 2022 16:27:23 -0700
Subject: [PATCH] SHIBUI-2452

"unlocking" the MDQ endpoint
---
 .../admin/ui/configuration/auto/WebSecurityConfig.java        | 2 +-
 .../src/main/java/net/unicon/shibui/pac4j/WebSecurity.java    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
index 93491c72e..f2135109e 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
@@ -88,7 +88,7 @@ protected void configure(HttpSecurity http) throws Exception {
                         .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .and()
                         .authorizeRequests()
-                        .antMatchers("/unsecured/**/*").permitAll()
+                        .antMatchers("/unsecured/**/*","/entities/**/*").permitAll()
                         .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
                         .and()
                         .exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"))
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
index 2c6ba0099..afc7ae437 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -64,7 +64,7 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe
 
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll();
+            http.authorizeRequests().antMatchers("/unsecured/**/*","/entities/**/*").permitAll();
 
             // adding the authorizer bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
             final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED);
@@ -120,7 +120,7 @@ public void configure(org.springframework.security.config.annotation.web.builder
             web.httpFirewall(firewall);
    
             // These don't need to be secured
-            web.ignoring().antMatchers("/favicon.ico", "/unsecured/**/*", "/assets/**/*.png", "/static/**/*", "/**/*.css"); 
+            web.ignoring().antMatchers("/favicon.ico", "/unsecured/**/*", "/assets/**/*.png", "/static/**/*", "/**/*.css", "/entities/**/*");
         }
     }