Closed andre-aktivconsultancy closed 1 week ago
Thanks for reporting @andre-aktivconsultancy. What you identified with the missing code to set the SecurityContext is very likely the issue. We will look into a fix in the coming week/next release. In the meantime, if you are blocked on this, we do appreciate any PR contributions as well if you have cycles to fix. We are a bit constrained on time due to conflicting priorities since we do not use websocket subscriptions internally.
@srinivasankavitha I'd like to emphasize that I tested against the handler that does contain the SecurityContext related code. The logs shared are with that handler. My knowledge of Spring Security is limited, I'd appreciate any pointers on what could be the issue. I am suspicious of the fact that the Initialized connection for ...
log comes from a different thread, but really not sure if that is relevant.
Closing because websocket support now comes from Spring Graphql. See https://netflix.github.io/dgs/spring-graphql-integration/.
I have previously posted this on Stackoverflow, however I am more and more convinced that this is a bug on DGS therefore I decided to open this issue.
I am working on a Graphql API and want to authenticate and authorize Graphql requests. I have the setup working just fine for queries/mutations. However, with subscriptions I am running into some issues.
Expected behavior
I expect the
@Secured
annotation to work on a@DgsSubscription
method.Actual behavior
The Security Context is cleared before the websocket for the subscription is initialized.
Versions
graphql-dgs-platform-dependencies: 5.2.4 spring-boot-starter-parent: 2.7.3
Steps to reproduce
I have this datafetcher:
This SecurityFilter chain:
I have setup the graphql client to pass the jwt token as access_token query parameter.
I get the following logs:
Additional info
I deliberately tested this using the WebsocketGraphQLWSProtocolHandler. This one contains code to set the SecurityContext. The WebsocketGraphQLTransportWSProtocolHandler does not contain such code, which makes me wonder if that is a bug by itself.