From e85a67069506eaca79fc8041bf95afd89fda2ac9 Mon Sep 17 00:00:00 2001
From: Paulo Gustavo Veiga <pveiga@wisemapping.com>
Date: Wed, 23 Aug 2023 08:15:39 -0700
Subject: [PATCH] Fix embedded view issue.

---
 .../wisemapping/config/SecurityConfig.java    | 27 ++++++++++++++++---
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java b/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
index fa362d4d..da8baa29 100644
--- a/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
+++ b/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
@@ -34,6 +34,22 @@ public class SecurityConfig {
         firewall.setAllowSemicolon(true);
         return firewall;
     }
+    @Bean
+    @Order(1)
+    public SecurityFilterChain embeddedDisabledXOrigin(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
+        final MvcRequestMatcher.Builder mvcMatcher = new MvcRequestMatcher.Builder(introspector).servletPath("/c");
+        http
+                .securityMatchers((matchers) ->
+                        matchers.requestMatchers(mvcMatcher.pattern(("/maps/*/embed"))))
+                .authorizeHttpRequests(
+                        (auth) -> auth.requestMatchers(mvcMatcher.pattern("/maps/*/embed")).permitAll())
+                .headers((header -> header.frameOptions()
+                        .disable()
+                ))
+                .csrf(AbstractHttpConfigurer::disable);
+
+        return http.build();
+    }
 
     @Bean
     @Order(2)
@@ -59,7 +75,7 @@ public class SecurityConfig {
     }
 
     @Bean
-    @Order(1)
+    @Order(3)
     public SecurityFilterChain mvcFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
         final AuthenticationSuccessHandler authenticationSuccessHandler = new AuthenticationSuccessHandler();
         authenticationSuccessHandler.setAlwaysUseDefaultTargetUrl(false);
@@ -84,7 +100,6 @@ public class SecurityConfig {
 
                                         .requestMatchers(mvcMatcher.pattern("/forgot-password")).permitAll()
                                         .requestMatchers(mvcMatcher.pattern("/forgot-password-success")).permitAll()
-                                        .requestMatchers(mvcMatcher.pattern("/maps/*/embed")).permitAll()
                                         .requestMatchers(mvcMatcher.pattern("/maps/*/try")).permitAll()
                                         .requestMatchers(mvcMatcher.pattern("/maps/*/public")).permitAll()
                                         .requestMatchers(restfullMapper.pattern("/maps/*/document/xml-pub")).permitAll()
@@ -108,7 +123,9 @@ public class SecurityConfig {
                                 .tokenValiditySeconds(2419200)
                                 .rememberMeParameter("remember-me"
                                 ).authenticationSuccessHandler(authenticationSuccessHandler)
-                )
+                ).headers((header -> header.frameOptions()
+                        .disable()
+                ))
                 .csrf((csrf) ->
                         csrf.ignoringRequestMatchers(mvcMatcher.pattern("/logout")));
 
@@ -116,7 +133,7 @@ public class SecurityConfig {
     }
 
     @Bean
-    @Order(3)
+    @Order(4)
     public SecurityFilterChain shareResourcesFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
         final MvcRequestMatcher.Builder restfullMapper = new MvcRequestMatcher.Builder(introspector);
 
@@ -130,6 +147,8 @@ public class SecurityConfig {
         ).build();
     }
 
+
+
     @Bean
     public UserDetailsService userDetailsService() {
         final UserDetailsService result = new UserDetailsService();