EnableReactiveMethodSecurity docs/example for graphiql -> graphql (Same host/origin)

[cforce]

Can you please add a more detailed doc or even better ran example howto get webflux secured for "graphiql" and "graphql" http/ws via spring security oauth provider running . Also i tried to keep actuator endpoints open without authentication. I think it's a common pattern and its not easy to get that working if not even not supported yet.

Below some (sadly non functional code) to explain a bit until where i get, but still without success. This request is in terms of better docs by example if the feature is there, else wise to request a feauture that allows especially to secure /graphiql/** (or other configured path for graphiql) being accesed without auth and dedicated role. Also the question is if the security header's /(jwt token) is preserved donwards when triggering graphql query/mutation/introspection from the the graphiql UI to the same domain graph ws endpoint.

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
@Profile("!keycloak")
public class SecurityConfig {
/*
    @Bean
    SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
        return http
                .csrf(spec -> spec.disable())
                .authorizeExchange(requests ->
                    requests.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                            .matchers(EndpointRequest.to(InfoEndpoint.class, HealthEndpoint.class)).permitAll()
                            .matchers(EndpointRequest.to("graphiql")).hasRole(Roles.AdminRole)
                            .matchers(EndpointRequest.toAnyEndpoint()).hasRole(Roles.AdminRole)//.authenticated()
                            .matchers(EndpointRequest.to("graphql")).hasAnyRole(Roles.AdminRole,Roles.ReaderRole,Roles.WriterRole)
                            .pathMatchers("management/**").hasRole(Roles.AdminRole)
                )
                .httpBasic(withDefaults())
                .formLogin()
                .and().logout().logoutSuccessHandler(logoutSuccessHandler())
                .and().build();

    }

*/

[rstoyanchev]

For WebFlux security, you'll need to check the Spring Security reference docs. For GraphiQL, it should be no different than securing any URL path but in addition, related to introspection, there is also https://github.com/spring-projects/spring-boot/issues/29248.

Generally, the Security section in the reference docs is short which reflects the fact that to secure a Spring GraphQL application is no different than securing a web application. Mainly, Spring GraphQL needs to ensure context propagates from WebFlux to the data fetching layer so that you can use Security annotations or access the authenticated principal in @SchemaMapping methods. This should work for HTTP and WebSocket.

I would suggest that you go incrementally. Ensure the WebFlux application is secured, perhaps testing with a WebFlux controller. Then start working with Spring GraphQL, and let us know if you run into specific issues, and we can also use the experience to improve the docs, but as I mentioned, a lot of it will be in the Spring Security reference. We'll only make additions in Spring GraphQL that are necessary or specific to GraphQL.

[cforce]

Yes, its definetly doable .- however extending the examples code base would help a lot, as it seems there is no other example i could find from the community. Still on it, Springs security oauth + keyloack + EnableReactiveMethodSecurity - its giving me a hard time :-/

[cforce]

I still search for a valid example webflux/reactive how to inject/setup per test in @SpringBootTest a WebGraphQlTester which uses some dedicated oauth client.

[rstoyanchev]

We'll consider this as part of #208.