bytechefhq · igorbeslic · Aug 25, 2025 · Aug 14, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/...orm/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts b/...orm/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts
@@ -13,6 +13,7 @@ dependencies {
     implementation(project(":server:libs:core:tenant:tenant-api"))
     implementation(project(":server:libs:platform:platform-component:platform-component-api"))
     implementation(project(":server:libs:platform:platform-file-storage:platform-file-storage-api"))
+    implementation(project(":server:libs:platform:platform-security-web:platform-security-web-api"))
     implementation(project(":server:libs:platform:platform-webhook:platform-webhook-rest:platform-webhook-rest-api"))
     implementation(project(":server:libs:platform:platform-workflow:platform-workflow-execution:platform-workflow-execution-api"))
 

diff --git a/...hef/ee/automation/apiplatform/handler/web/security/config/ApiPlatformCsrfContributor.java b/...hef/ee/automation/apiplatform/handler/web/security/config/ApiPlatformCsrfContributor.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2025 ByteChef
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.bytechef.ee.automation.apiplatform.handler.web.security.config;
+
+import com.bytechef.platform.security.web.config.CsrfContributor;
+import java.util.List;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Ivica Cardic
+ */
+@Component
+public class ApiPlatformCsrfContributor implements CsrfContributor {
+
+    @Override
+    public List<RequestMatcher> getIgnoringRequestMatchers() {
+        return List.of(
+            PathPatternRequestMatcher.withDefaults()
+                .matcher("/api/o/**"));
+    }
+}
diff --git a/...tion/ApiClientAuthenticationProvider.java → ...on/ApiPlatformAuthenticationProvider.java b/...tion/ApiClientAuthenticationProvider.java → ...on/ApiPlatformAuthenticationProvider.java
@@ -22,35 +22,35 @@
  *
  * @author Ivica Cardic
  */
-public class ApiClientAuthenticationProvider implements AuthenticationProvider {
+public class ApiPlatformAuthenticationProvider implements AuthenticationProvider {
 
     private final ApiClientService apiClientService;
 
     @SuppressFBWarnings("EI")
-    public ApiClientAuthenticationProvider(ApiClientService apiClientService) {
+    public ApiPlatformAuthenticationProvider(ApiClientService apiClientService) {
         this.apiClientService = apiClientService;
     }
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-        ApiClientKeyAuthenticationToken apiClientKeyAuthenticationToken =
-            (ApiClientKeyAuthenticationToken) authentication;
+        ApiPlatformKeyAuthenticationToken apiPlatformKeyAuthenticationToken =
+            (ApiPlatformKeyAuthenticationToken) authentication;
 
         Optional<ApiClient> apiClientOptional = apiClientService.fetchApiClient(
-            apiClientKeyAuthenticationToken.getSecretKey());
+            apiPlatformKeyAuthenticationToken.getSecretKey());
 
         if (apiClientOptional.isEmpty()) {
             throw new BadCredentialsException("Unknown API secret key");
         }
 
         ApiClient apiClient = apiClientOptional.get();
 
-        return new ApiClientKeyAuthenticationToken(createSpringSecurityUser(apiClient.getName()));
+        return new ApiPlatformKeyAuthenticationToken(createSpringSecurityUser(apiClient.getName()));
     }
 
     @Override
     public boolean supports(Class<?> authentication) {
-        return authentication.equals(ApiClientKeyAuthenticationToken.class);
+        return authentication.equals(ApiPlatformKeyAuthenticationToken.class);
     }
 
     private org.springframework.security.core.userdetails.User createSpringSecurityUser(String secretKey) {

diff --git a/...tion/ApiClientKeyAuthenticationToken.java → ...on/ApiPlatformKeyAuthenticationToken.java b/...tion/ApiClientKeyAuthenticationToken.java → ...on/ApiPlatformKeyAuthenticationToken.java
@@ -16,18 +16,18 @@
  *
  * @author Ivica Cardic
  */
-public class ApiClientKeyAuthenticationToken extends AbstractPublicApiAuthenticationToken {
+public class ApiPlatformKeyAuthenticationToken extends AbstractPublicApiAuthenticationToken {
 
     private String secretKey;
 
-    public ApiClientKeyAuthenticationToken(String secretKey, String tenantId) {
+    public ApiPlatformKeyAuthenticationToken(String secretKey, String tenantId) {
         super(tenantId);
 
         this.secretKey = secretKey;
     }
 
     @SuppressFBWarnings("EI")
-    public ApiClientKeyAuthenticationToken(User user) {
+    public ApiPlatformKeyAuthenticationToken(User user) {
         super(user);
     }
 

diff --git a/...uthenticationFilterBeforeContributor.java → ...uthenticationFilterBeforeContributor.java b/...uthenticationFilterBeforeContributor.java → ...uthenticationFilterBeforeContributor.java
@@ -5,9 +5,10 @@
  * you may not use this file except in compliance with the Enterprise License.
  */
 
-package com.bytechef.ee.automation.apiplatform.handler.security.web.filter;
+package com.bytechef.ee.automation.apiplatform.handler.security.web.config;
 
-import com.bytechef.platform.security.web.filter.FilterBeforeContributor;
+import com.bytechef.ee.automation.apiplatform.handler.security.web.filter.ApiPlatformApiAuthenticationFilter;
+import com.bytechef.platform.security.web.config.FilterBeforeContributor;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import jakarta.servlet.Filter;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -20,12 +21,12 @@
  * @author Ivica Cardic
  */
 @Component
-public class ApiClientAuthenticationFilterBeforeContributor implements FilterBeforeContributor {
+public class ApiPlatformApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor {
 
     @Override
     @SuppressFBWarnings("EI")
     public Filter getFilter(AuthenticationManager authenticationManager) {
-        return new ApiClientAuthenticationFilter(authenticationManager);
+        return new ApiPlatformApiAuthenticationFilter(authenticationManager);
     }
 
     @Override

diff --git a/...entAuthenticationProviderContributor.java → ...ormAuthenticationProviderContributor.java b/...entAuthenticationProviderContributor.java → ...ormAuthenticationProviderContributor.java
@@ -5,10 +5,11 @@
  * you may not use this file except in compliance with the Enterprise License.
  */
 
-package com.bytechef.ee.automation.apiplatform.handler.security.web.authentication;
+package com.bytechef.ee.automation.apiplatform.handler.security.web.config;
 
 import com.bytechef.ee.automation.apiplatform.configuration.service.ApiClientService;
-import com.bytechef.platform.security.web.authentication.AuthenticationProviderContributor;
+import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiPlatformAuthenticationProvider;
+import com.bytechef.platform.security.web.config.AuthenticationProviderContributor;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.stereotype.Component;
@@ -19,17 +20,17 @@
  * @author Ivica Cardic
  */
 @Component
-public class ApiClientAuthenticationProviderContributor implements AuthenticationProviderContributor {
+public class ApiPlatformAuthenticationProviderContributor implements AuthenticationProviderContributor {
 
     private final ApiClientService apiClientService;
 
     @SuppressFBWarnings("EI")
-    public ApiClientAuthenticationProviderContributor(ApiClientService apiClientService) {
+    public ApiPlatformAuthenticationProviderContributor(ApiClientService apiClientService) {
         this.apiClientService = apiClientService;
     }
 
     @Override
     public AuthenticationProvider getAuthenticationProvider() {
-        return new ApiClientAuthenticationProvider(apiClientService);
+        return new ApiPlatformAuthenticationProvider(apiClientService);
     }
 }
diff --git a/...filter/ApiClientAuthenticationFilter.java → ...r/ApiPlatformApiAuthenticationFilter.java b/...filter/ApiClientAuthenticationFilter.java → ...r/ApiPlatformApiAuthenticationFilter.java
@@ -7,8 +7,8 @@
 
 package com.bytechef.ee.automation.apiplatform.handler.security.web.filter;
 
-import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiClientKeyAuthenticationToken;
-import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter;
+import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiPlatformKeyAuthenticationToken;
+import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter;
 import com.bytechef.tenant.domain.TenantKey;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import jakarta.servlet.http.HttpServletRequest;
@@ -20,10 +20,10 @@
  *
  * @author Ivica Cardic
  */
-public class ApiClientAuthenticationFilter extends AbstractPublicApiAuthenticationFilter {
+public class ApiPlatformApiAuthenticationFilter extends AbstractApiAuthenticationFilter {
 
     @SuppressFBWarnings("EI")
-    public ApiClientAuthenticationFilter(AuthenticationManager authenticationManager) {
+    public ApiPlatformApiAuthenticationFilter(AuthenticationManager authenticationManager) {
         super("^/api/o/.+", authenticationManager);
     }
 
@@ -32,6 +32,6 @@ protected Authentication getAuthentication(HttpServletRequest request) {
 
         TenantKey tenantKey = TenantKey.parse(token);
 
-        return new ApiClientKeyAuthenticationToken(token, tenantKey.getTenantId());
+        return new ApiPlatformKeyAuthenticationToken(token, tenantKey.getTenantId());
     }
 }
diff --git a/...on/AuthenticationProviderContributor.java → ...erverAuthorizeHttpRequestContributor.java b/...on/AuthenticationProviderContributor.java → ...erverAuthorizeHttpRequestContributor.java
@@ -14,14 +14,20 @@
  * limitations under the License.
  */
 
-package com.bytechef.platform.security.web.authentication;
+package com.bytechef.embedded.ai.mcp.server.security.web.config;
 
-import org.springframework.security.authentication.AuthenticationProvider;
+import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor;
+import java.util.List;
+import org.springframework.stereotype.Component;
 
 /**
  * @author Ivica Cardic
  */
-public interface AuthenticationProviderContributor {
+@Component
+public class EmbeddedMcpServerAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor {
 
-    AuthenticationProvider getAuthenticationProvider();
+    @Override
+    public List<String> getApiPermitAllRequestMatcherPaths() {
+        return List.of("/api/embedded/sse");
+    }
 }
diff --git a/...bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerCsrfContributor.java b/...bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerCsrfContributor.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2025 ByteChef
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.bytechef.embedded.ai.mcp.server.security.web.config;
+
+import com.bytechef.platform.annotation.ConditionalOnEEVersion;
+import com.bytechef.platform.security.web.config.CsrfContributor;
+import java.util.List;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Ivica Cardic
+ */
+@Component
+@ConditionalOnEEVersion
+public class EmbeddedMcpServerCsrfContributor implements CsrfContributor {
+
+    @Override
+    public List<RequestMatcher> getIgnoringRequestMatchers() {
+        return List.of(
+            PathPatternRequestMatcher.withDefaults()
+                .matcher("/api/embedded/sse"));
+    }
+}
diff --git a/...ConnectedUserFilterBeforeContributor.java → ...uthenticationFilterBeforeContributor.java b/...ConnectedUserFilterBeforeContributor.java → ...uthenticationFilterBeforeContributor.java
@@ -5,9 +5,10 @@
  * you may not use this file except in compliance with the Enterprise License.
  */
 
-package com.bytechef.ee.embedded.security.web.filter;
+package com.bytechef.ee.embedded.security.web.config;
 
-import com.bytechef.platform.security.web.filter.FilterBeforeContributor;
+import com.bytechef.ee.embedded.security.web.filter.ConnectedUserApiAuthenticationFilter;
+import com.bytechef.platform.security.web.config.FilterBeforeContributor;
 import com.bytechef.platform.user.service.SigningKeyService;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import jakarta.servlet.Filter;
@@ -21,19 +22,19 @@
  * @author Ivica Cardic
  */
 @Component
-public class ConnectedUserFilterBeforeContributor implements FilterBeforeContributor {
+public class ConnectedUserApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor {
 
     private final SigningKeyService signingKeyService;
 
     @SuppressFBWarnings("EI")
-    public ConnectedUserFilterBeforeContributor(SigningKeyService signingKeyService) {
+    public ConnectedUserApiAuthenticationFilterBeforeContributor(SigningKeyService signingKeyService) {
         this.signingKeyService = signingKeyService;
     }
 
     @Override
     @SuppressFBWarnings("EI")
     public Filter getFilter(AuthenticationManager authenticationManager) {
-        return new ConnectedUserAuthenticationFilter(authenticationManager, signingKeyService);
+        return new ConnectedUserApiAuthenticationFilter(authenticationManager, signingKeyService);
     }
 
     @Override

diff --git a/...serAuthenticationProviderContributor.java → ...serAuthenticationProviderContributor.java b/...serAuthenticationProviderContributor.java → ...serAuthenticationProviderContributor.java
@@ -5,10 +5,11 @@
  * you may not use this file except in compliance with the Enterprise License.
  */
 
-package com.bytechef.ee.embedded.security.web.authentication;
+package com.bytechef.ee.embedded.security.web.config;
 
 import com.bytechef.ee.embedded.connected.user.service.ConnectedUserService;
-import com.bytechef.platform.security.web.authentication.AuthenticationProviderContributor;
+import com.bytechef.ee.embedded.security.web.authentication.ConnectedUserAuthenticationProvider;
+import com.bytechef.platform.security.web.config.AuthenticationProviderContributor;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.stereotype.Component;

diff --git a/...l/src/main/java/com/bytechef/ee/embedded/security/web/config/EmbeddedCsrfContributor.java b/...l/src/main/java/com/bytechef/ee/embedded/security/web/config/EmbeddedCsrfContributor.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2025 ByteChef
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.bytechef.ee.embedded.security.web.config;
+
+import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher;
+
+import com.bytechef.platform.security.web.config.CsrfContributor;
+import java.util.List;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Ivica Cardic
+ */
+@Component
+public class EmbeddedCsrfContributor implements CsrfContributor {
+
+    @Override
+    public List<RequestMatcher> getIgnoringRequestMatchers() {
+        return List.of(
+            regexMatcher("^/api/embedded/v[0-9]+/.+"),
+            // For internal calls from the embedded workflow builder
+            request -> request.getHeader("Authorization") != null);
+    }
+}
diff --git a/...er/ConnectedUserAuthenticationFilter.java → ...ConnectedUserApiAuthenticationFilter.java b/...er/ConnectedUserAuthenticationFilter.java → ...ConnectedUserApiAuthenticationFilter.java
@@ -8,7 +8,7 @@
 package com.bytechef.ee.embedded.security.web.filter;
 
 import com.bytechef.ee.embedded.security.web.authentication.ConnectedUserAuthenticationToken;
-import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter;
+import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter;
 import com.bytechef.platform.user.service.SigningKeyService;
 import com.bytechef.tenant.domain.TenantKey;
 import com.bytechef.tenant.util.TenantUtils;
@@ -31,7 +31,7 @@
  *
  * @author Ivica Cardic
  */
-public class ConnectedUserAuthenticationFilter extends AbstractPublicApiAuthenticationFilter {
+public class ConnectedUserApiAuthenticationFilter extends AbstractApiAuthenticationFilter {
 
     private static final Pattern EXTERNAL_USER_ID_PATTERN = Pattern.compile(".*/v\\d+/([^/]+)/.*");
     private static final Pattern JWT_TOKEN_PATTERN =
@@ -40,7 +40,7 @@ public class ConnectedUserAuthenticationFilter extends AbstractPublicApiAuthenti
     private final SigningKeyService signingKeyService;
 
     @SuppressFBWarnings("EI")
-    public ConnectedUserAuthenticationFilter(
+    public ConnectedUserApiAuthenticationFilter(
         AuthenticationManager authenticationManager, SigningKeyService signingKeyService) {
 
         super("^/api/embedded/v[0-9]+/.+|^/api/(?:automation|embedded|platform)/internal/.+", authenticationManager);