I am using spring for both security and graphql,
First I want to quote this from spring graphql documentation 'The path to a Web GraphQL endpoint can be secured with HTTP URL security to ensure that only authenticated users can access it.'
So I have created a normal spring security configuration and tested it on a dummy controller, and all went well.
When I tried it on @QueryMapping I am receiving 403 with no error message.
I have tried to debug, but there is an authorization check that is failing due to the context having a user anonymous instead of the one I have injected in my security filter.
I have fixed it by putting .permitAll() for /graphql and using aop to validate my request, but is it a bug or a expected behavior?
Have a look on my Security (it was just the same but without the graphql permitall)
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
// Enable CORS and disable CSRF
// Setup authorization
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.requestMatchers("/swagger-ui/**").permitAll()
.requestMatchers("/v3/api-docs/**").permitAll()
.requestMatchers("/error").permitAll()
.requestMatchers("/graphql/**").permitAll()
.requestMatchers("/actuator/**").permitAll()
.requestMatchers("/**").hasRole("LOGIN")
.anyRequest()
.authenticated())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
).addFilterBefore(
this.jwtTokenFilter,
UsernamePasswordAuthenticationFilter.class
)
.cors(cors -> cors.disable())
.csrf(csrf -> csrf.disable())
.build();
UPDATE: I found out what is exactly the issue, the resolver (@QueryMapping) is being wrapped by a completableFuture ( internally ) post run the completable future is clearing the context, and then another internal filter checks the authorities but found that the context has been replaced by an anonymous context and it returns 403.