authentication in spring boot using graphql











up vote
6
down vote

favorite
3












I’m working on a spring boot project with graphql. I'm using graphql-java-tools and graphql-spring-boot-starter. I managed to configure security and session management with spring security as you can see in the java config files below.



Now the “/graphql” path is secured (it can be accessed only sending the “basic http authentication” or a session token (x-auth-token) in a http header of the request). Authenticating with “basic http authentication” on any graphql operation will start a new session and send back the new session token in a header, and that token can be used further to continue that session.



How to give access to anonymous users to some graphql queries/mutations keeping the above behavior?



If I change antMatchers("/graphql").authenticated() to antMatchers("/graphql").permitAll() in order to allow anonymous access, then my custom AuthenticationProvider is not called anymore even when I try to authenticate with “basic http authentication”.



Thanks!



Here are my configs:



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationProvider authenticationProvider;

@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(authenticationProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/graphql").authenticated()
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.httpBasic()
.and()
.headers()
.frameOptions().sameOrigin() // needed for H2 web console
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
}

@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
}




@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 180)
public class HttpSessionConfig {

@Bean
public HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}

}









share|improve this question




























    up vote
    6
    down vote

    favorite
    3












    I’m working on a spring boot project with graphql. I'm using graphql-java-tools and graphql-spring-boot-starter. I managed to configure security and session management with spring security as you can see in the java config files below.



    Now the “/graphql” path is secured (it can be accessed only sending the “basic http authentication” or a session token (x-auth-token) in a http header of the request). Authenticating with “basic http authentication” on any graphql operation will start a new session and send back the new session token in a header, and that token can be used further to continue that session.



    How to give access to anonymous users to some graphql queries/mutations keeping the above behavior?



    If I change antMatchers("/graphql").authenticated() to antMatchers("/graphql").permitAll() in order to allow anonymous access, then my custom AuthenticationProvider is not called anymore even when I try to authenticate with “basic http authentication”.



    Thanks!



    Here are my configs:



    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
    authenticationManagerBuilder.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers("/graphql").authenticated()
    .and()
    .requestCache()
    .requestCache(new NullRequestCache())
    .and()
    .httpBasic()
    .and()
    .headers()
    .frameOptions().sameOrigin() // needed for H2 web console
    .and()
    .sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .sessionRegistry(sessionRegistry());
    }

    @Bean
    public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
    }
    }




    @EnableRedisHttpSession(maxInactiveIntervalInSeconds = 180)
    public class HttpSessionConfig {

    @Bean
    public HttpSessionStrategy httpSessionStrategy() {
    return new HeaderHttpSessionStrategy();
    }

    }









    share|improve this question


























      up vote
      6
      down vote

      favorite
      3









      up vote
      6
      down vote

      favorite
      3






      3





      I’m working on a spring boot project with graphql. I'm using graphql-java-tools and graphql-spring-boot-starter. I managed to configure security and session management with spring security as you can see in the java config files below.



      Now the “/graphql” path is secured (it can be accessed only sending the “basic http authentication” or a session token (x-auth-token) in a http header of the request). Authenticating with “basic http authentication” on any graphql operation will start a new session and send back the new session token in a header, and that token can be used further to continue that session.



      How to give access to anonymous users to some graphql queries/mutations keeping the above behavior?



      If I change antMatchers("/graphql").authenticated() to antMatchers("/graphql").permitAll() in order to allow anonymous access, then my custom AuthenticationProvider is not called anymore even when I try to authenticate with “basic http authentication”.



      Thanks!



      Here are my configs:



      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(prePostEnabled = true)
      public class SecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      private AuthenticationProvider authenticationProvider;

      @Override
      public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
      authenticationManagerBuilder.authenticationProvider(authenticationProvider);
      }

      @Override
      protected void configure(HttpSecurity http) throws Exception {
      http
      .csrf().disable()
      .authorizeRequests()
      .antMatchers("/graphql").authenticated()
      .and()
      .requestCache()
      .requestCache(new NullRequestCache())
      .and()
      .httpBasic()
      .and()
      .headers()
      .frameOptions().sameOrigin() // needed for H2 web console
      .and()
      .sessionManagement()
      .maximumSessions(1)
      .maxSessionsPreventsLogin(true)
      .sessionRegistry(sessionRegistry());
      }

      @Bean
      public SessionRegistry sessionRegistry() {
      return new SessionRegistryImpl();
      }

      @Bean
      public HttpSessionEventPublisher httpSessionEventPublisher() {
      return new HttpSessionEventPublisher();
      }
      }




      @EnableRedisHttpSession(maxInactiveIntervalInSeconds = 180)
      public class HttpSessionConfig {

      @Bean
      public HttpSessionStrategy httpSessionStrategy() {
      return new HeaderHttpSessionStrategy();
      }

      }









      share|improve this question















      I’m working on a spring boot project with graphql. I'm using graphql-java-tools and graphql-spring-boot-starter. I managed to configure security and session management with spring security as you can see in the java config files below.



      Now the “/graphql” path is secured (it can be accessed only sending the “basic http authentication” or a session token (x-auth-token) in a http header of the request). Authenticating with “basic http authentication” on any graphql operation will start a new session and send back the new session token in a header, and that token can be used further to continue that session.



      How to give access to anonymous users to some graphql queries/mutations keeping the above behavior?



      If I change antMatchers("/graphql").authenticated() to antMatchers("/graphql").permitAll() in order to allow anonymous access, then my custom AuthenticationProvider is not called anymore even when I try to authenticate with “basic http authentication”.



      Thanks!



      Here are my configs:



      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(prePostEnabled = true)
      public class SecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      private AuthenticationProvider authenticationProvider;

      @Override
      public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
      authenticationManagerBuilder.authenticationProvider(authenticationProvider);
      }

      @Override
      protected void configure(HttpSecurity http) throws Exception {
      http
      .csrf().disable()
      .authorizeRequests()
      .antMatchers("/graphql").authenticated()
      .and()
      .requestCache()
      .requestCache(new NullRequestCache())
      .and()
      .httpBasic()
      .and()
      .headers()
      .frameOptions().sameOrigin() // needed for H2 web console
      .and()
      .sessionManagement()
      .maximumSessions(1)
      .maxSessionsPreventsLogin(true)
      .sessionRegistry(sessionRegistry());
      }

      @Bean
      public SessionRegistry sessionRegistry() {
      return new SessionRegistryImpl();
      }

      @Bean
      public HttpSessionEventPublisher httpSessionEventPublisher() {
      return new HttpSessionEventPublisher();
      }
      }




      @EnableRedisHttpSession(maxInactiveIntervalInSeconds = 180)
      public class HttpSessionConfig {

      @Bean
      public HttpSessionStrategy httpSessionStrategy() {
      return new HeaderHttpSessionStrategy();
      }

      }






      authentication spring-boot spring-security graphql graphql-java






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 3 '17 at 7:11

























      asked Aug 30 '17 at 11:29









      Rolando Kozma

      6117




      6117
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          Instead of .antMatchers("/graphql").authenticated() we used .antMatchers("/graphql").permitAll(), then we removed .httpBasic() and also removed the custom AuthenticationProvider. Now the security configs look like this:



          @Configuration
          @EnableWebSecurity
          @EnableGlobalMethodSecurity(prePostEnabled = true)
          public class SecurityConfig extends WebSecurityConfigurerAdapter {

          @Override
          protected void configure(HttpSecurity http) throws Exception {
          http
          .csrf().disable()
          .authorizeRequests()
          .antMatchers("/graphql").permitAll()
          .and()
          .requestCache()
          .requestCache(new NullRequestCache())
          .and()
          .headers()
          .frameOptions().sameOrigin() // needed for H2 web console
          .and()
          .sessionManagement()
          .maximumSessions(1)
          .maxSessionsPreventsLogin(true)
          .sessionRegistry(sessionRegistry());
          }

          @Bean
          public SessionRegistry sessionRegistry() {
          return new SessionRegistryImpl();
          }

          @Bean
          public HttpSessionEventPublisher httpSessionEventPublisher() {
          return new HttpSessionEventPublisher();
          }


          }



          Then we created a mutation for login that accepts the user's credentials and returns the session token. Here is the graphql schema:



          login(credentials: CredentialsInputDto!): String

          input CredentialsInputDto {
          username: String!
          password: String!
          }


          Basically the code we had in our custom AuthenticationProvider went into the service that is called by the login operation:



          public String login(CredentialsInputDto credentials) {
          String username = credentials.getUsername();
          String password = credentials.getPassword();

          UserDetails userDetails = userDetailsService.loadUserByUsername(username);

          ... credential checks and third party authentication ...

          Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, userDetails.getAuthorities());
          SecurityContextHolder.getContext().setAuthentication(authentication);
          httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
          return httpSession.getId();
          }


          The key is that we prepared the session context with the authenticated user's authentication and then we save it (in redis) as a session attribute called "SPRING_SECURITY_CONTEXT". This is all what spring needs to be able to automatically restore the context when you make a request having the "x-auth-token" header set with the value of the session token obtained from the login operation.
          Now also anonymous calls are allowed because of .antMatchers("/graphql").permitAll() and in the service layer, on public methods we can use annotations like this: @Preauthorize("isAnonymous() OR hasRole("USER")").






          share|improve this answer




























            up vote
            1
            down vote













            Even though you need to use permitAll() you can still create reasonable default for your resolver methods using AOP.



            You can create your custom security aspect that will require authentication by default.



            Unsecured methods may be marked for example using annotation.



            See my blog post for details: https://mi3o.com/spring-graphql-security






            share|improve this answer























            • Blog post assisted me tremendously regarding this issue, great work!
              – Jordan
              Nov 12 at 2:19











            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f45959234%2fauthentication-in-spring-boot-using-graphql%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            Instead of .antMatchers("/graphql").authenticated() we used .antMatchers("/graphql").permitAll(), then we removed .httpBasic() and also removed the custom AuthenticationProvider. Now the security configs look like this:



            @Configuration
            @EnableWebSecurity
            @EnableGlobalMethodSecurity(prePostEnabled = true)
            public class SecurityConfig extends WebSecurityConfigurerAdapter {

            @Override
            protected void configure(HttpSecurity http) throws Exception {
            http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/graphql").permitAll()
            .and()
            .requestCache()
            .requestCache(new NullRequestCache())
            .and()
            .headers()
            .frameOptions().sameOrigin() // needed for H2 web console
            .and()
            .sessionManagement()
            .maximumSessions(1)
            .maxSessionsPreventsLogin(true)
            .sessionRegistry(sessionRegistry());
            }

            @Bean
            public SessionRegistry sessionRegistry() {
            return new SessionRegistryImpl();
            }

            @Bean
            public HttpSessionEventPublisher httpSessionEventPublisher() {
            return new HttpSessionEventPublisher();
            }


            }



            Then we created a mutation for login that accepts the user's credentials and returns the session token. Here is the graphql schema:



            login(credentials: CredentialsInputDto!): String

            input CredentialsInputDto {
            username: String!
            password: String!
            }


            Basically the code we had in our custom AuthenticationProvider went into the service that is called by the login operation:



            public String login(CredentialsInputDto credentials) {
            String username = credentials.getUsername();
            String password = credentials.getPassword();

            UserDetails userDetails = userDetailsService.loadUserByUsername(username);

            ... credential checks and third party authentication ...

            Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, userDetails.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(authentication);
            httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
            return httpSession.getId();
            }


            The key is that we prepared the session context with the authenticated user's authentication and then we save it (in redis) as a session attribute called "SPRING_SECURITY_CONTEXT". This is all what spring needs to be able to automatically restore the context when you make a request having the "x-auth-token" header set with the value of the session token obtained from the login operation.
            Now also anonymous calls are allowed because of .antMatchers("/graphql").permitAll() and in the service layer, on public methods we can use annotations like this: @Preauthorize("isAnonymous() OR hasRole("USER")").






            share|improve this answer

























              up vote
              3
              down vote



              accepted










              Instead of .antMatchers("/graphql").authenticated() we used .antMatchers("/graphql").permitAll(), then we removed .httpBasic() and also removed the custom AuthenticationProvider. Now the security configs look like this:



              @Configuration
              @EnableWebSecurity
              @EnableGlobalMethodSecurity(prePostEnabled = true)
              public class SecurityConfig extends WebSecurityConfigurerAdapter {

              @Override
              protected void configure(HttpSecurity http) throws Exception {
              http
              .csrf().disable()
              .authorizeRequests()
              .antMatchers("/graphql").permitAll()
              .and()
              .requestCache()
              .requestCache(new NullRequestCache())
              .and()
              .headers()
              .frameOptions().sameOrigin() // needed for H2 web console
              .and()
              .sessionManagement()
              .maximumSessions(1)
              .maxSessionsPreventsLogin(true)
              .sessionRegistry(sessionRegistry());
              }

              @Bean
              public SessionRegistry sessionRegistry() {
              return new SessionRegistryImpl();
              }

              @Bean
              public HttpSessionEventPublisher httpSessionEventPublisher() {
              return new HttpSessionEventPublisher();
              }


              }



              Then we created a mutation for login that accepts the user's credentials and returns the session token. Here is the graphql schema:



              login(credentials: CredentialsInputDto!): String

              input CredentialsInputDto {
              username: String!
              password: String!
              }


              Basically the code we had in our custom AuthenticationProvider went into the service that is called by the login operation:



              public String login(CredentialsInputDto credentials) {
              String username = credentials.getUsername();
              String password = credentials.getPassword();

              UserDetails userDetails = userDetailsService.loadUserByUsername(username);

              ... credential checks and third party authentication ...

              Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, userDetails.getAuthorities());
              SecurityContextHolder.getContext().setAuthentication(authentication);
              httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
              return httpSession.getId();
              }


              The key is that we prepared the session context with the authenticated user's authentication and then we save it (in redis) as a session attribute called "SPRING_SECURITY_CONTEXT". This is all what spring needs to be able to automatically restore the context when you make a request having the "x-auth-token" header set with the value of the session token obtained from the login operation.
              Now also anonymous calls are allowed because of .antMatchers("/graphql").permitAll() and in the service layer, on public methods we can use annotations like this: @Preauthorize("isAnonymous() OR hasRole("USER")").






              share|improve this answer























                up vote
                3
                down vote



                accepted







                up vote
                3
                down vote



                accepted






                Instead of .antMatchers("/graphql").authenticated() we used .antMatchers("/graphql").permitAll(), then we removed .httpBasic() and also removed the custom AuthenticationProvider. Now the security configs look like this:



                @Configuration
                @EnableWebSecurity
                @EnableGlobalMethodSecurity(prePostEnabled = true)
                public class SecurityConfig extends WebSecurityConfigurerAdapter {

                @Override
                protected void configure(HttpSecurity http) throws Exception {
                http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .requestCache()
                .requestCache(new NullRequestCache())
                .and()
                .headers()
                .frameOptions().sameOrigin() // needed for H2 web console
                .and()
                .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true)
                .sessionRegistry(sessionRegistry());
                }

                @Bean
                public SessionRegistry sessionRegistry() {
                return new SessionRegistryImpl();
                }

                @Bean
                public HttpSessionEventPublisher httpSessionEventPublisher() {
                return new HttpSessionEventPublisher();
                }


                }



                Then we created a mutation for login that accepts the user's credentials and returns the session token. Here is the graphql schema:



                login(credentials: CredentialsInputDto!): String

                input CredentialsInputDto {
                username: String!
                password: String!
                }


                Basically the code we had in our custom AuthenticationProvider went into the service that is called by the login operation:



                public String login(CredentialsInputDto credentials) {
                String username = credentials.getUsername();
                String password = credentials.getPassword();

                UserDetails userDetails = userDetailsService.loadUserByUsername(username);

                ... credential checks and third party authentication ...

                Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, userDetails.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(authentication);
                httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
                return httpSession.getId();
                }


                The key is that we prepared the session context with the authenticated user's authentication and then we save it (in redis) as a session attribute called "SPRING_SECURITY_CONTEXT". This is all what spring needs to be able to automatically restore the context when you make a request having the "x-auth-token" header set with the value of the session token obtained from the login operation.
                Now also anonymous calls are allowed because of .antMatchers("/graphql").permitAll() and in the service layer, on public methods we can use annotations like this: @Preauthorize("isAnonymous() OR hasRole("USER")").






                share|improve this answer












                Instead of .antMatchers("/graphql").authenticated() we used .antMatchers("/graphql").permitAll(), then we removed .httpBasic() and also removed the custom AuthenticationProvider. Now the security configs look like this:



                @Configuration
                @EnableWebSecurity
                @EnableGlobalMethodSecurity(prePostEnabled = true)
                public class SecurityConfig extends WebSecurityConfigurerAdapter {

                @Override
                protected void configure(HttpSecurity http) throws Exception {
                http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .requestCache()
                .requestCache(new NullRequestCache())
                .and()
                .headers()
                .frameOptions().sameOrigin() // needed for H2 web console
                .and()
                .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true)
                .sessionRegistry(sessionRegistry());
                }

                @Bean
                public SessionRegistry sessionRegistry() {
                return new SessionRegistryImpl();
                }

                @Bean
                public HttpSessionEventPublisher httpSessionEventPublisher() {
                return new HttpSessionEventPublisher();
                }


                }



                Then we created a mutation for login that accepts the user's credentials and returns the session token. Here is the graphql schema:



                login(credentials: CredentialsInputDto!): String

                input CredentialsInputDto {
                username: String!
                password: String!
                }


                Basically the code we had in our custom AuthenticationProvider went into the service that is called by the login operation:



                public String login(CredentialsInputDto credentials) {
                String username = credentials.getUsername();
                String password = credentials.getPassword();

                UserDetails userDetails = userDetailsService.loadUserByUsername(username);

                ... credential checks and third party authentication ...

                Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, userDetails.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(authentication);
                httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
                return httpSession.getId();
                }


                The key is that we prepared the session context with the authenticated user's authentication and then we save it (in redis) as a session attribute called "SPRING_SECURITY_CONTEXT". This is all what spring needs to be able to automatically restore the context when you make a request having the "x-auth-token" header set with the value of the session token obtained from the login operation.
                Now also anonymous calls are allowed because of .antMatchers("/graphql").permitAll() and in the service layer, on public methods we can use annotations like this: @Preauthorize("isAnonymous() OR hasRole("USER")").







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Sep 6 '17 at 8:59









                Rolando Kozma

                6117




                6117
























                    up vote
                    1
                    down vote













                    Even though you need to use permitAll() you can still create reasonable default for your resolver methods using AOP.



                    You can create your custom security aspect that will require authentication by default.



                    Unsecured methods may be marked for example using annotation.



                    See my blog post for details: https://mi3o.com/spring-graphql-security






                    share|improve this answer























                    • Blog post assisted me tremendously regarding this issue, great work!
                      – Jordan
                      Nov 12 at 2:19















                    up vote
                    1
                    down vote













                    Even though you need to use permitAll() you can still create reasonable default for your resolver methods using AOP.



                    You can create your custom security aspect that will require authentication by default.



                    Unsecured methods may be marked for example using annotation.



                    See my blog post for details: https://mi3o.com/spring-graphql-security






                    share|improve this answer























                    • Blog post assisted me tremendously regarding this issue, great work!
                      – Jordan
                      Nov 12 at 2:19













                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    Even though you need to use permitAll() you can still create reasonable default for your resolver methods using AOP.



                    You can create your custom security aspect that will require authentication by default.



                    Unsecured methods may be marked for example using annotation.



                    See my blog post for details: https://mi3o.com/spring-graphql-security






                    share|improve this answer














                    Even though you need to use permitAll() you can still create reasonable default for your resolver methods using AOP.



                    You can create your custom security aspect that will require authentication by default.



                    Unsecured methods may be marked for example using annotation.



                    See my blog post for details: https://mi3o.com/spring-graphql-security







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 9 at 22:12









                    jwpfox

                    3,80793640




                    3,80793640










                    answered Nov 9 at 21:53









                    Michal Gebauer

                    113




                    113












                    • Blog post assisted me tremendously regarding this issue, great work!
                      – Jordan
                      Nov 12 at 2:19


















                    • Blog post assisted me tremendously regarding this issue, great work!
                      – Jordan
                      Nov 12 at 2:19
















                    Blog post assisted me tremendously regarding this issue, great work!
                    – Jordan
                    Nov 12 at 2:19




                    Blog post assisted me tremendously regarding this issue, great work!
                    – Jordan
                    Nov 12 at 2:19


















                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f45959234%2fauthentication-in-spring-boot-using-graphql%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Guess what letter conforming each word

                    Port of Spain

                    Run scheduled task as local user group (not BUILTIN)