CSRF kept (#589)

Author: z-sztrom

pom.xml

@@ -65,7 +65,7 @@
         <repository>
             <id>oracleReleases</id>
             <name>Oracle Released Java Packages</name>
-            <url>http://download.oracle.com/maven</url>
+            <url>https://download.oracle.com/maven</url>
             <layout>default</layout>
         </repository>
     </repositories>

src/main/java/com/ericsson/ei/EndpointSecurity.java

@@ -145,6 +145,12 @@ private void configureBasicAuth(HttpSecurity http) throws Exception {
 
     private void disableCSRF(HttpSecurity http) throws Exception {
         http.csrf()
+            // The application uses non-browser clients. Yes, there is swagger interface,
+            // but is's used only for testing/tuning.
+            //
+            // From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html
+            // "If you are creating a service that is used only by non-browser clients,
+            //  you likely want to disable CSRF protection."
             .disable();
     }