Update SecurityConfig.java

Add "/metadata" to authExceptions so that you don't need a bearer token to get a CapabilityStatement.

api/src/main/java/gov/cms/ab2d/api/security/SecurityConfig.java

@@ -47,7 +47,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
     private final String[] authExceptions = new String[]{"/swagger-ui/**", "/configuration/**",
             "/swagger-resources/**", "/v3/api-docs/**", "/webjars/**",
-            AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT};
+            AKAMAI_TEST_OBJECT, "/favicon.ico", "/error", HEALTH_ENDPOINT, STATUS_ENDPOINT,
+            "/metadata"};
 
     @Override
     protected void configure(HttpSecurity security) throws Exception {