search

graphql-java-kickstart / graphql-spring-boot

GraphQL and GraphiQL Spring Framework Boot Starters - Forked from oembedler/graphql-spring-boot due to inactivity.
https://www.graphql-java-kickstart.com/spring-boot/
MIT License
1.51k stars 324 forks source link

Basic Auth asked on all endpoints when adding GraphiQL or Altair dependencies #386

Closed GuillaumeDesforges closed 4 years ago

GuillaumeDesforges commented 4 years ago

I need to add a GraphQL endpoint to a Spring Boot application with an existing REST API that uses @RestController and such.

When I add any of the GraphQL tool as a dependency, such as altair-spring-boot-starter or graphiql-spring-boot-starter for example, and run the server, I am suddendly asked to provide a Basic Auth on all endpoints even though the base application does not require one.

diff of pom.xml

+               <dependency>
+                       <!-- GraphQL starter (adds core and servlet) -->
+                       <groupId>com.graphql-java-kickstart</groupId>
+                       <artifactId>graphql-spring-boot-starter</artifactId>
+                       <version>7.0.0</version>
+               </dependency>
+               <dependency>
+                       <!-- GraphQL Tool -->
+                       <groupId>com.graphql-java-kickstart</groupId>
+                       <artifactId>graphql-java-tools</artifactId>
+                       <version>6.0.0</version>
+               </dependency>
+               <dependency>
+                       <!-- GraphiQL interactive tool -->
+                       <groupId>com.graphql-java-kickstart</groupId>
+                       <artifactId>graphiql-spring-boot-starter</artifactId>
+                       <version>7.0.0</version>
+                       <scope>runtime</scope>
+               </dependency>

Two questions then:

Thanks

oliemansm commented 4 years ago

These libraries don't pull in spring-security as a dependency. Some rely on it compileOnly, but that shouldn't affect you. It's only used if it's found on Spring Security is found in the classpath at runtime to ensure GraphiQL sends along a CSRF token with its requests for example.

You should be able to see in your dependencies graph as loaded by your IDE which package is pulling in spring-security and causing this.

GuillaumeDesforges commented 4 years ago

I do have Spring Security as a dependency.

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

Do you mean that using it for the rest of the application also triggers GraphiQL to use it ? I still don't understand why this affects all http requests to the server (especially on the endpoints of my RestController) and not only those on /graphiql.

oliemansm commented 4 years ago

It doesn't add any specific rules for security. It relies on your existing spring security configuration to take care of that. If you use Spring Security you probably have a WebSecurityConfigurerAdapter somewhere to finetune the security settings for your app. You should add /graphiql and possibly /graphl to it to exclude it from those security settings. If you don't the default kicks in and everything is secure.

GuillaumeDesforges commented 4 years ago

Many thanks for the quick reply and clear indications, I will investigate with that in mind.

GuillaumeDesforges commented 4 years ago

My bad: it wasn't when adding a GraphQL tool dependencies but when adding graphql-spring-boot-starter from com.graphql-java-kickstart. Seems like my IDE played a trick on me with a weird "Launch" mechanism.

When I add only Altair for example it works properly.