More strictly defined authenticated routes.

backend/src/main/kotlin/uk/co/neviyn/observationdatabase/Security.kt

@@ -38,7 +38,7 @@ class CustomWebSecurityConfigurerAdapter : WebSecurityConfigurerAdapter() {
     @Throws(Exception::class)
     override fun configure(http: HttpSecurity) {
         http.csrf().disable().authorizeRequests()
-                .antMatchers(HttpMethod.POST, "/api/**").authenticated()
+                .antMatchers(HttpMethod.POST, "/api/site", "/api/tutor", "/api/observation").authenticated()
                 .anyRequest().permitAll()
                 .and()
                 .httpBasic()