Index: ReserveNGo-backend/src/main/java/mk/ukim/finki/it/reservengo/config/WebSecurityConfig.java
===================================================================
--- ReserveNGo-backend/src/main/java/mk/ukim/finki/it/reservengo/config/WebSecurityConfig.java	(revision 0f3afae618d9792bfe8ecc399fe90d5d2f2b1490)
+++ ReserveNGo-backend/src/main/java/mk/ukim/finki/it/reservengo/config/WebSecurityConfig.java	(revision ac41d70c5bb293177cc03cfec11da1fbd8c91ad8)
@@ -4,4 +4,5 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -37,9 +38,13 @@
                         .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
                 .authorizeHttpRequests((requests) -> requests
+                        .requestMatchers(HttpMethod.OPTIONS,"/**").permitAll()
                         .requestMatchers(
-                                "/api/**",
+                                "api/auth/**",
                                 "/h2/**",
-                                "/favicon.ico")
+                                "/favicon.ico",
+                                "/api/locals/**")
                         .permitAll()
+                        .requestMatchers("/api/customer/**").hasRole("CUSTOMER")
+                        .requestMatchers("/api/admin/**").hasRole("ADMIN")
                         .anyRequest()
                         .authenticated()
@@ -61,5 +66,5 @@
                 registry.addMapping("/api/**")
                         .allowedOrigins("http://localhost:5173")
-                        .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD")
+                        .allowedMethods("*")
                         .allowedHeaders("*")
                         .allowCredentials(true);
@@ -67,4 +72,3 @@
         };
     }
-
 }