AB2D-6303 Get CapabilityStatement without bearer token (#1394)

* Add AB2D-6303 logging statements

* Merged and squashed

---------

Co-authored-by: Jeremy Jones <[email protected]>

Author: feralearthman

api/src/main/java/gov/cms/ab2d/api/security/JwtTokenAuthenticationFilter.java

@@ -223,6 +223,11 @@ private boolean shouldBePublic(String requestUri) {
             return true;
         }
 
+        if (requestUri.endsWith("/metadata")) {
+            log.debug("metadata requested");
+            return true;
+        }
+
         return false;
     }
 

api/src/main/java/gov/cms/ab2d/api/security/SecurityConfig.java

@@ -48,7 +48,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     private final String[] authExceptions = new String[]{"/swagger-ui/**", "/configuration/**",
             "/swagger-resources/**", "/v3/api-docs/**", "/webjars/**",
             AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT,
-            "/metadata"};
+            "/**/metadata"};
 
     @Override
     protected void configure(HttpSecurity security) throws Exception {
@@ -62,9 +62,9 @@ protected void configure(HttpSecurity security) throws Exception {
             // Add a filter to validate the tokens with every request.
             .addFilterAfter(jwtTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
             .authorizeHttpRequests()
+            .antMatchers(authExceptions).permitAll()
             .antMatchers(API_PREFIX_V1 + ADMIN_PREFIX + "/**").hasAuthority(ADMIN_ROLE)
             .antMatchers(API_PREFIX_V1 + FHIR_PREFIX + "/**").hasAnyAuthority(SPONSOR_ROLE)
-                .antMatchers(authExceptions).permitAll()
             .anyRequest().authenticated();
 
         // Override default behavior to add more informative logs